LNCS 3000 



Martin Dietzfelbinger 



ru 
• — 

O 




From Randomized Algorithms to "PRIMES is in P" 






Lecture Notes in Computer Science 

Commenced Publication in 1 973 
Founding and Former Series Editors: 

Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen 



Editorial Board 

Takeo Kanade 

Carnegie Mellon University, Pittsburgh, PA, USA 
Josef Kittler 

Un i versity of Surrey, Guildford, UK 
Jon M. Kleinberg 

Cornell University, Ithaca, NY, USA 
Friedemann Mattern 

ETH Zurich, Switzerland 
John C. Mitchell 

Stanford University, CA, USA 
Moni Naor 

Weizmann Institute of Science, Rehovot, Israel 
Oscar Nierstrasz 

University of Bern, Switzerland 
C. Pandu Rangan 

Indian Institute of Technology, Madras, India 
Bernhard Steffen 

University of Dortmund, Germany 
Madhu Sudan 

Massachusetts Institute of Technology, MA, USA 
Demetri Terzopoulos 

New York University, NY, USA 
Doug Tygar 

University of California, Berkeley, CA, USA 
Moshe Y. Vardi 

Rice University, Houston, IX, USA 
Gerhard Weikum 

Max-Planck Institute of Computer Science, Saarbruecken, Germany 



3000 




Springer 

Berlin 
Heidelberg 
New York 
Hong Kong 
London 
Milan 
Paris 
Tokyo 




Martin Dietzfelbinger 



Primality Testing 
in Polynomial Time 



From Randomized Algorithms to "PRIMES is in 




Springer 




Author 



Martin Dietzfelbinger 

Technische Universitat Ilmenau 

Fakultat fiir Informatik und Automatisierung 

98684 Ilmenau, Germany 

E-mail: martin. dietzfelbinger@ tu-ilmenau.de 



Library of Congress Control Number: 2004107785 



CR Subject Classification (1998): F.2.1, F.2, F.1.3, E.3, G.3 
ISSN 0302-9743 

ISBN 3-540-40344-2 Springer- Verlag Berlin Heidelberg New York 



This work is subject to copyright. All rights are reserved, whether the whole or part of the material is 
concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, 
reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication 
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, 
in its current version, and permission for use must always be obtained from Springer- Verlag. Violations are 
liable to prosecution under the German Copyright Law. 

Springer- Verlag is a part of Springer Science+Business Media 

springeronline.com 

(c) Springer-Verlag Berlin Heidelberg 2004 
Printed in Germany 

Typesetting: Camera-ready by author, data conversion by Boiler Mediendesign 
Printed on acid-free paper SPIN: 10936009 06/3142 5 4 3 2 1 0 




To Angelika, Lisa, Matthias, and Johanna 




Preface 



On August 6, 2002, a paper with the title “PRIMES is in P”, by M. Agrawal, 
N. Kayal, and N. Saxena, appeared on the website of the Indian Institute of 
Technology at Kanpur, India. In this paper it was shown that the “ primality 
problem ” has a “ deterministic algorithm" that runs in “ polynomial time” . 

Finding out whether a given number n is a prime or not is a problem that 
was formulated in ancient times, and has caught the interest of mathemati- 
cians again and again for centuries. Only in the 20th century, with the advent 
of cryptographic systems that actually used large prime numbers, did it turn 
out to be of practical importance to be able to distinguish prime numbers 
and composite numbers of significant size. Readily, algorithms were provided 
that solved the problem very efficiently and satisfactorily for all practical 
purposes, and provably enjoyed a time bound polynomial in the number of 
digits needed to write down the input number n. The only drawback of these 
algorithms is that they use “ randomization ” — that means the computer 
that carries out the algorithm performs random experiments, and there is a 
slight chance that the outcome might be wrong, or that the running time 
might not be polynomial. To find an algorithm that gets by without random- 
ness, solves the problem error-free, and has polynomial running time had 
been an eminent open problem in complexity theory for decades when the 
paper by Agrawal, Kayal, and Saxena hit the web. The news of this amazing 
result spread very fast around the world among scientists interested in the 
theory of computation, cryptology, and number theory; within days it even 
reached The New York Times, which is quite unusual for a topic in theoretical 
computer science. 

Practically, not much has changed. In cryptographic applications, the fast 
randomized algorithms for primality testing continue to be used, since they 
are superior in running time and the error can be kept so small that it is 
irrelevant for practical applications. The new algorithm does not seem to 
imply that we can factor numbers fast, and no cryptographic system has 
been broken. Still, the new algorithm is of great importance, both because of 
its long history and because of the methods used in the solution. 

As is quite common in the field of number-theoretic algorithms, the for- 
mulation of the deterministic primality test is very compact and uses only 
very simple basic procedures. The analysis is a little more complex, but as- 




VIII Preface 



toundingly it gets by with a small selection of the methods and facts taught 
in introductory algebra and number theory courses. On the one hand, this 
raises the philosophical question whether other important open problems in 
theoretical computer science may have solutions that require only basic meth- 
ods. On the other hand, it opens the rare opportunity for readers without a 
specialized mathematical training to fully understand the proof of a new and 
important result. 

It is the main purpose of this text to guide its reader all the way from 
the definitions of the basic concepts from number theory and algebra to a 
full understanding of the new algorithm and its correctness proof and time 
analysis, providing details for all the intermediate steps. Of course, the reader 
still has to go the whole way, which may be steep in some places; some basic 
mathematical training is required and certainly a good measure of persever- 
ance. 

To make a contrast, and to provide an introduction to some practically 
relevant primality tests for the complete novice to the field, also two of the 
classical primality testing algorithms are described and analyzed, viz., the 
“Miller-Rabin Test” and the “Solovay-Strassen Test”. Also for these algo- 
rithms and their analysis, all necessary background is provided. 

I hope that this text makes the area of primality testing and in particular 
the wonderful new result of Agrawal, Kayal, and Saxena a little easier to ac- 
cess for interested students of computer science, cryptology, or mathematics. 

I wish to thank the students of two courses in complexity theory at the 
Technical University of Ilmenau, who struggled through preliminary versions 
of parts of the material presented here. Thanks are due to Juraj Hromkovic 
for proposing that this book be written as well as his permanent encourage- 
ment on the way. Thomas Hofmeister and Juraj Hromkovic read parts of 
the manuscript and gave many helpful hints for improvements. (Of course, 
the responsibility for any errors remains with the author.) The papers by 
D.G. Bernstein, generously made accessible on the web, helped me a lot 
in shaping an understanding of the subject matter. I wish to thank Alfred 
Hofmann of Springer- Verlag for his patience and the inexhaustible enthusi- 
asm with which he accompanied this project. And, finally, credit is due to 
M. Agrawal, N. Kayal, and N. Saxena, who found this beautiful result. 

Ilmenau, March 2004 Martin Dietzfelbinger 




Contents 



1. Introduction: Efficient Primality Testing 1 

1.1 Algorithms for the Primality Problem 1 

1.2 Polynomial and Superpolynomial Time Bounds 2 

1.3 Is PRIMES in P? 6 

1.4 Randomized and Superpolynomial Time Algorithms 

for the Primality Problem 7 

1.5 The New Algorithm 9 

1.6 Finding Primes and Factoring Integers 10 

1.7 How to Read This Book 11 

2. Algorithms for Numbers and Their Complexity 13 

2.1 Notation for Algorithms on Numbers 13 

2.2 O-notation 15 

2.3 Complexity of Basic Operations on Numbers 18 

3. Fundamentals from Number Theory 23 

3.1 Divisibility and Greatest Common Divisor 23 

3.2 The Euclidean Algorithm 27 

3.3 Modular Arithmetic 32 

3.4 The Chinese Remainder Theorem 35 

3.5 Prime Numbers 38 

3.5.1 Basic Observations and the Sieve of Eratosthenes 39 

3.5.2 The Fundamental Theorem of Arithmetic 42 

3.6 Clrebyclrev’s Theorem on the Density of Prime Numbers 45 

4. Basics from Algebra: Groups, Rings, and Fields 55 

4.1 Groups and Subgroups 55 

4.2 Cyclic Groups 59 

4.2.1 Definitions, Examples, and Basic Facts 59 

4.2.2 Structure of Cyclic Groups 62 

4.2.3 Subgroups of Cyclic Groups 64 

4.3 Rings and Fields 66 

4.4 Generators in Finite Fields 69 




X Contents 

5. The Miller-Rabin Test 73 

5.1 The Fermat Test 73 

5.2 Nontrivial Square Roots of 1 78 

5.3 Error Bound for the Miller-Rabin Test 82 

6. The Solovay-Strassen Test 85 

6.1 Quadratic Residues 85 

6.2 The Jacobi Symbol 87 

6.3 The Law of Quadratic Reciprocity 88 

6.4 Primality Testing by Quadratic Residues 92 

7. More Algebra: Polynomials and Fields 95 

7.1 Polynomials over Rings 95 

7.2 Division with Remainder and Divisibility for Polynomials .... 102 

7.3 Quotients of Rings of Polynomials 105 

7.4 Irreducible Polynomials and Factorization 108 

7.5 Roots of Polynomials Ill 

7.6 Roots of the Polynomial X r — 1 112 

8. Deterministic Primality Testing in Polynomial Time 115 

8.1 The Basic Idea 115 

8.2 The Algorithm of Agrawal, Kayal, and Saxena 117 

8.3 The Running Time 118 

8.3.1 Overall Analysis 118 

8.3.2 Bound for the Smallest Witness r 119 

8.3.3 Improvements of the Complexity Bound 120 

8.4 The Main Theorem and the Correctness Proof 122 

8.5 Proof of the Main Theorem 123 

8.5.1 Preliminary Observations 124 

8.5.2 Powers of Products of Linear Terms 124 

8.5.3 A Field F and a Large Subgroup G of F* 126 

8.5.4 Completing the Proof of the Main Theorem 130 

A. Appendix 133 

A.l Basics from Combinatorics 133 

A. 2 Some Estimates 136 

A. 3 Proof of the Quadratic Reciprocity Law 137 

A. 3.1 A Lemma of Gauss 137 

A. 3. 2 Quadratic Reciprocity for Prime Numbers 139 

A. 3. 3 Quadratic Reciprocity for Odd Integers 141 

References 143 



Index 



145 




1. Introduction: Efficient Primality Testing 



1.1 Algorithms for the Primality Problem 

A natural number n > 1 is called a prime number if it has no positive 
divisors other than 1 and n. If n is not prime, it is called composite , and 
can be written n = a ■ b for natural numbers 1 < a,b < n. Ever since this 
concept was defined in ancient Greece, the primality problem 

“Given a number n, decide whether n is a prime number or not” 

has been considered a natural and intriguing computational problem. Here 
is a simple algorithm for the primality problem: 

Algorithm 1.1.1 (Trial Division) 

Input: Integer n> 2. 

Method: 

0 i: integer; 

1 i <■— 2; 

2 while i • i < n repeat 

3 if i divides n 

4 then return 1; 

5 i <— i + 1; 

6 return 0; 

This algorithm, when presented with an input number n, gives rise to the 
following calculation: In the loop in lines 2-5 the numbers i = 2, 3, ... , [\/n\ , 
in this order, are tested for being a divisor of n. As soon as a divisor is 
found, the calculation stops and returns the value 1. If no divisor is found, 
the answer 0 is returned. The algorithm solves the primality problem in the 
following sense: 

n is a prime number if and only if Algorithm 1.1.1 returns 0. 

This is because if n = a - b for 1 < a, b < n, then one of the factors a and b is 
not larger than -^/n, and hence such a factor must be found by the algorithm. 
For moderately large n this procedure may be used for a calculation by hand; 
using a modern computer, it is feasible to carry it out for numbers with 20 
or 25 decimal digits. However, when confronted with a number like 

M. Dietzfelbinger: Primality Testing in Polynomial Time, LNCS 3000, pp. 1-12, 2004. 

© Springer- Verlag Berlin Heidelberg 2004 




2 



1. Introduction: Efficient Primality Testing 



n = 74838457648748954900050464578792347604359487509026452654305481, 

this method cannot be used, simply because it takes too long. The 62-digit 
number n happens to be prime, so the loop runs for more than 10 31 rounds. 
One might think of some simple tricks to speed up the computation, like 
dividing by 2, 3, and 5 at the beginning, but afterwards not by any proper 
multiples of these numbers. Even after applying tricks of this kind, and under 
the assumption that a very fast computer is used that can carry out one trial 
division in 1 nanosecond, say, a simple estimate shows that this would take 
more than 10 13 years of computing time on a single computer. 

Presented with such a formidably large number, or an even larger one with 
several hundred decimal digits, naive procedures like trial division are not 
helpful, and will never be even if the speed of computers increases by several 
orders of magnitude and even if computer networks comprising hundreds of 
thousands of computers are employed. 

One might ask whether considering prime numbers of some hundred dec- 
imal digits makes sense at all, because there cannot be any set of objects 
in the real world that would have a cardinality that large. Interestingly, in 
algoritlrmics and especially in cryptography there are applications that use 
prime numbers of that size for very practical purposes. A prominent example 
of such an application is the public key cryptosystem by Rivest, Shamir, and 
Adleman [36] (the “ RSA system”), which is based on our ability to create 
random primes of several hundred decimal digits. (The interested reader may 
wish to consult cryptography textbooks like [37, 40] for this and other exam- 
ples of cryptosystems that use randomly generated large prime numbers.) 

One may also look at the primality problem from a more theoretical point 
of view. A long time before prime numbers became practically important as 
basic building blocks of cryptographic systems, Carl Friedrich Gauss had 
written: 

11 The problem of distinguishing prime numbers from composites, and 
of resolving composite numbers into their prime factors, is one of 
the most important and useful in all of arithmetic. . . . The dignity 
of science seems to demand that every aid to the solution of such an 
elegant and celebrated problem be zealously cultivated .” ([20], in the 
translation from Latin into English from [25]) 

Obviously, Gauss knew the trial division method and also methods for finding 
the prime decomposition of natural numbers. So it was not just any procedure 
for deciding primality he was asking for, but one with further properties — 
simplicity, maybe, and speed, certainly. 



1.2 Polynomial and Superpolynomial Time Bounds 

In modern language, we would probably say that Gauss asked for an efficient 
algorithm to test a number for being a prime, i.e., one that solves the problem 




1.2 Polynomial and Superpolynomial Time Bounds 



3 



fast on numbers that are not too large. But what does “fast” and “ not too 
large” mean? Clearly, for any algorithm the number of computational steps 
made on input n will grow as larger and larger n are considered. It is the rate 
of growth that is of interest here. 

To illustrate a growth rate different from y/n as in Algorithm 1.1.1, we 
consider another algorithm for the primality problem (Lehmann [26]). 

Algorithm 1.2.1 (Lehmann’s Primality Test) 

Input: Odd integer n > 3, integer £ > 2. 

Method: 

0 a, c: integer; b[l. .£]: array of integer; 

1 for i from 1 to £ do 

2 a 4 — a randomly chosen element of {1, . . . , n — 1}; 

3 c 4 — a ( n-1 )/ 2 mod n; 

4 if c ^ {1, n — 1} 

5 then return 1; 

6 else b [i] 4 — c; 

7 if b[l] = •• • = b[f] = 1 

8 then return 1; 

9 else return 0; 

The intended output of Algorithm 1.2.1 is 0 if n is a prime number and 1 
if n is composite. The loop in lines 1-6 causes the same action to be carried 
out £ times, for £ > 2 a number given as input. The core of the algorithm is 
lines 2-6. In line 2 a method is invoked that is important in many efficient 
algorithms: randomization. We assume that the computer that carries out 
the algorithm has access to a source of randomness and in this way can 
choose a number a in {1, ...,n— 1} uniformly at random. (Intuitively, we 
may imagine it casts fair “dice” with n — 1 faces. In reality, of course, some 
mechanism for generating “pseudorandom numbers” is used.) In the ith round 
through the loop, the algorithm chooses a number a, at random and calculates 
Ci = a\ n 1 ^ 2 mod n, i.e. , the remainder when a\ n 1 ^ 2 is divided by n. If Cj 
is different from 1 and n — 1, then output 1 is given, and the algorithm stops 
(lines 4 and 5); otherwise (line 6) Cj is stored in memory cell b [i] . If all of the 
cf s are in {1, n — 1}, the loop runs to the end, and in lines 7-9 the outcomes 
ci,.. .,C( of the £ rounds are looked at again. If n — 1 appears at least once, 
output 0 is given; if all cf s equal 1, output 1 is given. 

We briefly discuss how the output should be interpreted. Since the algo- 
rithm performs random experiments, the result is a random variable. What 
is the probability that we get the “wrong” output? We must consider two 
cases. 

Case 1: n is a prime number. (The desired output is 0.) — We shall see 
later (Sect. 6.1) that for n an odd prime exactly half of the elements a 
of {l,...,n — 1} satisfy a mod n = n — 1, the other half satisfies 
af n ~ i)/ 2 m od n = 1. This means that the loop runs through all £ rounds, 




4 



1. Introduction: Efficient Primality Testing 



and that the probability that Ci = • • • = ct = 1 and the wrong output 1 is 
produced is 2~ e . 

Case 2: n is a composite number. (The desired output is 1.) — There are two 
possibilities. If there is no a in {1, . . . , n — 1} with a ( ' n_1 ^ 2 mod n = n — 1 
at all, the output is guaranteed to be 1, which is the “correct” value. On 
the other hand, it can be shown (see Lemma 5.3.1) that if there is some a 
in {1, . . . , n — 1} that satisfies a^ n_1 ^ 2 mod n = n — 1, then more than half 
of the elements in {1, . . . , n — 1} satisfy a^ n_1 ^ 2 mod n {1 , n — 1}. This 
means that the probability that the loop in lines 1-6 runs for £ rounds is no 
more than 2~^ . The probability that output 0 is produced cannot be larger 
than this bound. 

Overall, the probability that the wrong output appears is bounded by 2~ e . 
This can be made very small at the cost of a moderate number of repetitions 
of the loop. 

Algorithm 1.2.1, our first “efficient” primality test, exhibits some features 
we will find again and again in such algorithms: the algorithm itself is very 
simple, but its correctness or error probability analysis is based on facts from 
number theory referring to algebraic structures not appearing in the text of 
the algorithm. 

Now let us turn to the computational effort needed to carry out Algo- 
rithm 1.2.1 on an input number n. Obviously, the only interesting part of the 
computation is the evaluation of a^ n_1 ^ 2 mod n in line 3. By “modular arith- 
metic” (see Sect. 3.3) we can calculate with remainders modulo n throughout, 
which means that only numbers of size up to n 2 appear as intermediate re- 
sults. Calculating a^ n ~ 1 ^ 2 in the naive way by (n — l)/2 — 1 multiplications 
is hopelessly inefficient, even worse than the naive trial division method. But 
there is a simple trick (“repeated squaring”, explained in detail in Sect. 2.3) 
which leads to a method that requires at most 21ogn multiplications 1 and 
divisions of numbers not larger than n 2 . How long will this take in terms 
of single-digit operations if we calculate using decimal notation for integers? 
Multiplying an /i-digit and an f?-digit number, by the simplest methods as 
taught in school, requires not more than h ■ l multiplications and cq ■ h ■ £ ad- 
ditions of single decimal digits, for some small constant cq. The number ||n||io 
of decimal digits of n equals |"log 10 (n + 1)] « log 10 n, and thus the number 
of elementary operations on digits needed to carry out Algorithm 1.2.1 on 
an n-digit number can be estimated from above by c(log 10 n) 3 for a suitable 
constant c. We thus see that Algorithm 1.2.1 can be carried out on a fast 
computer in reasonable time for numbers with several thousand digits. 

As a natural measure of the size of the input we could take the number 
||n||i 0 = |"log 10 (n + 1)] ~ log 10 n of decimal digits needed to write down n. 
However, closer to the standard representation of natural numbers in comput- 
ers, we take the number ||n|| = ||ri|| 2 = |"log(n-|-l)] of digits of the binary rep- 

1 In this text, In 2 ; denotes the logarithm of x to the base e, while logs; denotes 

the logarithm of x to the base 2. 




1.2 Polynomial and Superpolynomial Time Bounds 



5 



resentation of n, which differs from log n by at most 1. Since (log n) / (log 10 n) 
is the constant (Inl0)/(ln2) « 3.322 « 12, we have ||n||io « j^logn. For 
example, a number with 80 binary digits has about 24 decimal digits.) Simi- 
larly, as an elementary operation we view the addition or the multiplication 
of two bits. A rough estimate on the basis of the naive methods shows that 
certainly c • £ bit operations are sufficient to add, subtract, or compare two 
£-bit numbers; for multiplication and division we are on the safe side if we 
assume an upper bound of c • £ 2 bit operations, for some constant c. Assume 
now an algorithm A is given that performs T^(n) elementary operations on 
input n. We consider possible bounds on T^(n) expressed as /;(logn), for 
some functions /* : N — > R; see Table 1.1. The table lists the bounds we 
get for numbers with about 60, 150, and 450 decimal digits, and it gives the 
binary length of numbers we can treat within 10 12 and lO 20 computational 
steps. 



n 


fi(x) 


fi( 200) 


fi{ 500) 


A (1500) 


Si(10 12 ) 


Si(10 2 °) 


i 


c • X 


200c 


500c 


1,500c 


10 12 /c 


10 2 °/c 


2 


c ■ x 2 


40,000c 


250,000c 


2.2c • 10® 


10®/^ 


io 10 /V^ 


3 


c ■ x 3 


8c • 10 6 


1.25c- 10 8 


3.4c ■ 10 9 


10 4 /^ 


4.6- 10®/ -(/c 


4 


C ■ X 4 


1.6c- 10 9 


6.2c- 10 10 


5.1c- 10 12 


1,000/ \fc. 


100,000/ ^/c 


5 


c ■ x 6 


6.4c- 10 13 


1.6c • 10 16 


1.1c- 10 19 


100/ ^c 


2150/ ^c 


6 


c ■ x 9 


5.1c- 10 2 ° 


2.0c ■ 10 24 


3.8c ■ 10 28 


22/ sfc. 


165/ ^c 


7 


2 In In x 


4.7 • 10 7 


7.3 • 10 9 


4.3 - 10 12 


1,170 


22,000 


8 


c-2^ 


18,000c 


5.4c - 10® 


4.55c • 10 11 


1,600 


4,400 


9 


c • 2 a:/2 


1.3c- 10 3 ° 


1.6c - 10®° 


2.6c - 10 12 ° 


80 


132 



Table 1.1. Growth functions for operation bounds. /i(200), /i (500) , /i(1500) de- 
note the bounds obtained for 200-, 500-, and 1500-bit numbers; Si(10 12 ) and Si(10 2 °) 
are the maximal numbers of binary digits admissible so that an operation bound 
of 10 12 resp. 10 20 is guaranteed 



We may interpret the figures in this table in a variety of ways. Let us 
(very optimistically) assume that we run our algorithm on a computer or 
a computer network that carries out 1,000 bit operations in a nanosecond. 
Then 10 12 steps take about 1 second (feasible), and 10 20 steps take a little 
more than 3 years (usually unfeasible). Considering the rows for /i and /2 
we note that algorithms that take only a linear or quadratic number of op- 
erations can be run for extremely large numbers within a reasonable time. If 
the bounds are cubic (as for Algorithm 1.2.1, fs), numbers with thousands 
of digits pose no particular problem; for polynomials of degree 4 (fi), we 
begin to see a limit: numbers with 30,000 decimal digits are definitely out 
of reach. Polynomial operation bounds with larger exponents or /g) lead 











6 



1. Introduction: Efficient Primality Testing 



to situations where the length of the numbers that can be treated is already 
severely restricted — with (logn) 9 operations we may deal with one 7-digit 
number in 1 second; treating a single 50-digit number takes years. Bounds 
f 7 (logn) = (logn) 21nlnn , /g(logn) = c- and / 9 (logn) = Csfn exceed 

any polynomial in logn for sufficiently large n. For numbers with small bi- 
nary length log n, however, some of these superpolynomial bounds may still be 
smaller than lrigh-degree polynomial bounds, as the comparison between /g, 
/ 7 , and fs shows. In particular, note that for logn = 180,000 (corresponding 
to a 60,000-digit number) we have 21nln(logn) < 5, so /V(logn) < (logn) 5 . 

The bound / 9 (logn) = c-^/n, which belongs to the trial division method, 
is extremely bad; only very short inputs can be treated. 

Summing up, we see that algorithms with a polynomial bound with a truly 
small exponent are useful even for larger numbers. Algorithms with polyno- 
mial time bounds with larger exponents may become impossible to carry out 
even for moderately large numbers. If the time bound is superpolynomial, 
treating really large inputs is usually out of the question. From a theoretical 
perspective, it has turned out to be useful to draw a line between computa- 
tional problems that admit algorithms with a polynomial operation bound 
and problems that do not have such algorithms, since for large enough n, 
every polynomial bound will be smaller than every superpolynomial bound. 
This is why the class P, to be discussed next, is of such prominent importance 
in computational complexity theory. 



1.3 Is PRIMES in P? 

In order to formulate what exactly the question “Is PRIMES in P?” means, 
we must sketch some concepts from computational complexity theory. Tra- 
ditionally, the objects of study of complexity theory are “languages” and 
“functions”. A nonempty finite set £ is regarded as an alphabet , and one 
considers the set £* of all finite sequences or words over £. The most impor- 
tant alphabet is the binary alphabet {0, 1}, where £* comprises the words 

e (the empty word), 0, 1, 00, 01, 10, 11, 000, 001, 010, 011, 100, 101, .... 

Note that natural numbers can be represented as binary words, e.g., by means 
of the binary representation: bin(n) denotes the binary representation of n. 
Now decision problems for numbers can be expressed as sets of words over 
{0,1}, e.g. 

SQUARE = {bin(n) | n > 0 is a square} 

= { 0 , 1 , 100 , 1001 , 10000 , 11001 , 100100 , 110001 , 1000000 , . . .} 



codes the problem “Given n, decide whether n is a square of some number” , 
while 




1.4 Randomized and Superpolynomial Time Algorithms 



7 



PRIMES = {bin(n) | n > 2 is a prime number} 

= { 10 , 11 , 101 , 111 , 1011 , 1101 , 10001 , 10011 , 10111 , 11101 , . . .} 

codes the primality problem. Every subset of E* is called a language. Thus, 
SQUARE and PRIMES are languages. 

In computability and complexity theory, algorithms for inputs that are 
words over a finite alphabet are traditionally formalized as programs for a 
particular machine model, the Turing machine. Readers who are interested 
in the formal details of measuring the time complexity of algorithms in terms 
of this model are referred to standard texts on computational complexity 
theory such as [23]. Basically, the model charges one step for performing one 
operation involving a fixed number of letters, or digits. 

We say that a language L C E* is in class P if there is a Turing machine 
(program) M and a polynomial p such that on input x € E* consisting of 
to letters the machine M makes no more than p(m) steps and arrives at the 
answer 1 if x € L and at the answer 0 if x L. 

For our purposes it is sufficient to note the following: if we have an algo- 
rithm A that operates on numbers (like Algorithms 1.1.1 and 1.2.1) so that 
the total number of operations that are performed on input n is bounded 
by c(logn) fc for constants c and k and so that the intermediate results never 
become larger than n k , then the language 

{bin(n) | A on input n outputs 0} 
is in class P. 

Thus, to establish that PRIMES is in P it is sufficient to find an algorithm 
A for the primality problem that operates on (not too large) numbers with 
a polynomial operation bound. The question of whether such an algorithm 
might exist had been open ever since the terminology for asking the question 
was developed in the 1960s. 



1.4 Randomized and Superpolynomial Time Algorithms 
for the Primality Problem 

In a certain sense, the search for polynomial time algorithms for the primality 
problem was already successful in the 1970s, when two very efficient methods 
for testing large numbers for primality were proposed, one by Solovay and 
Strassen [39], and one by Rabin [35], based on previous work by Miller [29]. 
These algorithm have the common feature that they employ a random exper- 
iment (just like Algorithm 1.2.1); so they fall into the category of randomized 
algorithms. For both these algorithms the following holds. 

• If the input is a prime number, the output is 0. 

• If the input is composite, the output is 0 or 1, and the probability that the 
outcome is 0 is bounded by 




1. Introduction: Efficient Primality Testing 



On input n, both algorithms use at most c • log n arithmetic operations on 
numbers not larger than n 2 , for some constant c; i.e. , they are about as 
fast as Algorithm 1.2.1. If the output is 1, the input number n is definitely 
composite; we say that the calculation proves that n is composite, and yields 
a certificate for that fact. If the result is 0, we do not really know whether 
the input number is prime or not. Certainly, an error bound of up to ^ is not 
satisfying. However, by repeating the algorithm up to t times, hence spending 
t • c- log n arithmetic operations on input n, the error bound can be reduced 
to 2 - ^, for arbitrary l. And if we choose to carry out i = dlogn repetitions, 
the algorithms will still have a polynomial operation bound, but the error 
bound drops to n~ d , extremely small for n with a hundred or more decimal 
digits. 

These randomized algorithms, along with others with a similar behavior 
(e.g., the Lucas Test and the Frobenius Test, described in [16, Sect. 3.5]), 
are sufficient for solving the primality problem for quite large inputs for all 
practical purposes, and algorithms of this type are heavily used in practice. 
For practical purposes, there is no reason to worry about the risk of giving 
output 0 on a composite input n, as long as the error bound is adjusted so 
that the probability for this to happen is smaller than 1 in 10 20 , say, and it is 
guaranteed that the algorithm exhibits the behavior as if truly random coin 
tosses were available. Such a small error probability is negligible in relation to 
other (hardware or software) error risks that are inevitable with real computer 
systems. The Miller-Rabin Test and the Solovay-Strassen Test are explored 
in detail later in this text (Chaps. 5 and 6). 

Still, from a theoretical point of view, the question remained whether there 
was an absolutely error-free algorithm for solving the primality problem with 
a small time bound. Here one may consider 

(a) algorithms without randomization (called deterministic algorithms to 
emphasize the contrast), and 

(b) randomized algorithms with expected polynomial running time which 
never give erroneous outputs. 

As for (a), the (up to the year 2002) fastest known deterministic algorithm 
for the primality problem was proposed in 1983 by Adleman, Pomerance, 
and Rumeley [2]. It has a time bound of /^(logn), where f%{x) = x cXnlnx 
for some constant c > 0, which makes it slightly superpolynomial. Practical 
implementations have turned out to be successful for numbers with many 
hundreds of decimal digits [12]. 

As for (b), in 1987 Adleman and Huang [1] proposed a randomized algo- 
rithm that has a (high-degree) polynomial time bound and yields primality 
certificates, in the following sense: On input n, the algorithm outputs 0 or 1. 
If the output is 1, the input n is guaranteed to be prime, and the calculation 
carried out by the algorithm constitutes a proof of this fact. If the input n is 
a prime number, then the probability that the wrong answer 0 is given is at 




1.5 The New Algorithm 



9 



most A Algorithms with this kind of behavior are called primality proving 
algorithms. 

The algorithm of Adleman and Huang (_4ah) may be combined with, for 
example, the Solovay-Strassen Test (Tss) to obtain an error-free randomized 
algorithm for the primality problem with expected polynomial time bound, 
as follows: Given an input n, run both algorithms on n. If one of them gives 
a definite answer (Tah declares that n is a prime number or Tss declares 
that n is composite), we are done. Otherwise, keep repeating the procedure 
until an answer is obtained. The expected number of repetitions is smaller 
than 2 no matter whether n is prime or composite. The combined algorithm 
gives the correct answer with probability 1, and the expected time bound is 
polynomial in log n. 

There are further algorithms that provide proofs for the primality of an 
input number n, many of them quite successful in practice. For much more 
information on primality testing and primality proving algorithms see [16]. 
(A complete list of the known algorithms as of 2004 may be found in the 
overview paper [11].) 



1.5 The New Algorithm 

Such was the state of affairs when in August 2002 M. Agrawal, N. Kayal, and 
N. Saxena published their paper “PRIMES is in P” . In this paper, Agrawal, 
Kayal, and Saxena described a deterministic algorithm for the primality prob- 
lem, and a polynomial bound of c • (log n) 12 • (loglogn) d was proved for the 
number of bit operations, for constants c and d. 

In the time analysis of the algorithm, a deep result of Fouvry [19] from 
analytical number theory was used, published in 1985. This result concerns 
the density of primes of a special kind among the natural numbers. Unfor- 
tunately, the proof of Fouvry’s theorem is accessible only to readers with a 
quite strong background in number theory. In discussions following the pub- 
lication of the new algorithm, some improvements were suggested. One of 
these improvements (by H.W. Lenstra [10, 27]) leads to a slightly modified 
algorithm with a new time analysis, which avoids the use of Fouvry’s the- 
orem altogether, and makes it possible to carry out the time analysis and 
correctness proof solely by basic methods from number theory and algebra. 
The new analysis even yields an improved bound of c- (logn) 10,5 • (loglogn) d 
on the number of bit operations. Employing Fouvry’s result one obtains the 
even smaller bound c- (logn) 7 5 • (loglogn) d . 

Experiments and number-theoretical conjectures make it seem likely that 
the exponent in the complexity bound can be chosen even smaller, about 6 
instead of 7.5. The reader may consult Table 1.1 to get an idea for num- 
bers of which order of magnitude the algorithm is guaranteed to terminate 
in reasonable time. Currently, improvements of the new algorithm are be- 




10 



1. Introduction: Efficient Primality Testing 



ing investigated, and these may at some time make it competitive with the 
primality proving algorithms currently in use. (See [11].) 

Citing the title of a review of the result [13], with the improved and 
simplified time analysis the algorithm by Agrawal, Kayal, and Saxena appears 
even more a “Breakthrough for Everyman” : a result that can be explained 
to interested high-sclrool students, with a correctness proof and time analysis 
that can be understood by everyone with a basic mathematical training as 
acquired in the first year of studying mathematics or computer science. It 
is the purpose of this text to describe this amazing and impressive result 
in a self-contained manner, along with two randomized algorithms (Solovay- 
Strassen and Miller-Rabin) to represent practically important primality tests. 

The book covers just enough material from basic number theory and 
elementary algebra to carry through the analysis of these algorithms, and so 
frees the reader from collecting methods and facts from different sources. 



1.6 Finding Primes and Factoring Integers 

In cryptographic applications, e.g., in the RSA cryptosystem [36], we need 
to be able to solve the prime generation problem, i.e., produce multidigit 
randomly chosen prime numbers. Given a primality testing algorithm A with 
one-sided error, like the Miller-Rabin Test (Chap. 5), one may generate a 
random prime in [10 s , 10 s+1 — 1] as follows: Choose an odd number a from 
this interval at random; run A on a. If the outcome indicates that a is prime, 
output a, otherwise start anew with a new random number a. 

For this algorithm to succeed we need to have some information about the 
density of prime numbers in [10 s , 10 s+1 — 1]. It is a consequence of Clrebychev’s 
Theorem 3.6.3 below that the fraction of prime numbers in [10 s ,10 s+1 — 1] 
exceeds c/s, for some constant c > 0. This implies that the number of trials 
needed until the randomly chosen number a is indeed a prime number is 
no larger than s/c. The expected computation cost for obtaining an output 
is then no larger than s/c times the cost of running algorithm A. If the 
probability that algorithm A declares a composite number a prime is no larger 
than 2 _f , then the probability that the output is composite is no larger than 
2 _f • s/c, which can be made as small as desired by choosing t large enough. 
We see that the complexity of generating primes is tightly coupled with the 
complexity of primality testing. In practice, thus, the advent of the primality 
test of Agrawal, Kayal, and Saxena has not changed much with respect to the 
problem of generating primes, since it is much slower than the randomized 
algorithms and the error probability can be made so small that it is irrelevant 
from the point of view of the applications. 

On the other hand, for the security of many cryptographic systems it is 
important that the factoring problem 



Given a composite number n, find a proper factor of n 




1.7 How to Read This Book 



11 



is not easily solvable for n sufficiently large. An introduction into the subject 
of factoring is given in, for example, [41]; an in-depth treatment may be 
found in [16]. As an example, we mention one algorithm from the family of 
the fastest known factorization algorithms, the “number field sieve”, which 
has a superpolynomial running time bound of c • e d -(inn) 1/3 (in\nn) 2/3 , f or a 
constant d a little smaller than 1.95 and some c > 0. Using algorithms like 
this, one has been able to factor single numbers of more than 200 decimal 
digits. 

It should be noted that with respect to factoring (and to the security 
of cryptosystems that are based on the supposed difficulty of factoring) no 
change is to be expected as a consequence of the new primality test. This 
algorithm shares with all other fast primality tests the property that if it 
declares an input number n composite, in most cases it does so on the basis 
of indirect evidence, having detected a property in n prime numbers cannot 
have. Such a property usually does not help in finding a proper factor of n. 



1.7 How to Read This Book 

Of course, the book may be read from cover to cover. In this way, the reader 
is lead on a guided tour through the basics of algorithms for numbers, of 
number theory, and of algebra (including all the proofs), as far as they are 
needed for the analysis of the three primality tests treated here. 

Chapter 2 should be checked for algorithmic notation and basic algo- 
rithms for numbers. Readers with some background in basic number the- 
ory and/or algebra may want to read Sects. 3.1 through 3.5 and Sects. 4.1 
through 4.3 only cursorily to make sure they are familiar with the (standard) 
topics treated there. Section 3.6 on the density bounds for prime numbers 
and Sect. 4.4 on the fact that in finite fields the multiplicative group is cyclic 
are a little more special and provide essential building blocks of the analysis 
of the new primality test by Agrawal, Kayal, and Saxena. 

Chapters 5 and 6 treat the Miller-Rabin Test and the Solovay-Strassen 
Test in a self-contained manner; a proof of the quadratic reciprocity law, 
which is used for the time analysis of the latter algorithm, is provided in 
Appendix A. 3. These two chapters may be skipped by readers interested 
exclusively in the deterministic primality test. 

Chapter 7 treats polynomials, in particular polynomials over finite fields 
and the technique of constructing finite fields by quotienting modulo an ir- 
reducible polynomial. Some special properties of the polynomial X r — 1 are 
developed there. All results compiled in this section are essential for the anal- 
ysis of the deterministic primality test, which is given in Chap. 8. 

Readers are invited to send information about mistakes, other suggestions 
for improvements, or comments directly to the author’s email address: 
martin.dietzfelbinger@tu-ilmenau.de 




12 1. Introduction: Efficient Primality Testing 

A list of corrections will be held on the webpage 

http : / / eiche . theoinf . tu-ilmenau . de/kt/pbook 




2. Algorithms for Numbers and Their 
Complexity 



The notion of an algorithm is basic in computer science. Usually, one says that 
an algorithm is a finite piece of text that describes in an unambiguous way 
which elementary computational steps are to be performed on any given in- 
put, and in which way the result should be read off after the computation has 
ended. In the theory of algorithms and in computational complexity theory, 
one traditionally formalizes the notion of an algorithm as a program for a par- 
ticular theoretical machine model, the Turing machine. In our context, where 
we deal with numbers rather than with strings, this is not appropriate, hence 
we use a different notation for algorithms, described in Sect. 2.1. As a tech- 
nical prerequisite for discussing complexity issues, we introduce O-notation 
in Sect. 2.2. In Sect. 2.3 the complexity of some elementary operations on 
numbers is discussed. 



2.1 Notation for Algorithms on Numbers 

We describe algorithms in an informal framework (“pseudocode”), resembling 
imperative programs for simplified computers with one CPU and a main 
memory. For readers without programming experience we briefly describe 
the main features of the notation. 

We use only two elementary data structures: 

• A variable may contain an integer. (Variables are denoted by typewriter 
type names like a, b, k, 1, and so on.) 

• An array corresponds to a sequence of variables, indexed by a segment 
{1, . . . , k} of the natural numbers. (Arrays are denoted by typewriter let- 
ters, together with their index range in square brackets; an array element 
is given by the name with the index in brackets. Thus, a [1 . . 100] denotes 
an array with 100 components; a [37] is the 37th component of this array.) 
Each array component may contain an integer. 

If not obvious from the context, we list the variables and arrays used in an 
algorithm at the beginning. In many algorithms numbers are used that do not 
change during the execution; such numbers, so-called constants , are denoted 
by the usual mathematical notation. 



M. Dietzfelbinger: Primality Testing in Polynomial Time, LNCS 3000, pp. 13-21, 2004. 
© Springer- Verlag Berlin Heidelberg 2004 




14 



2. Algorithms for Numbers and Their Complexity 



There are two basic ways in which constants, variables, and array com- 
ponents can be used: 

• Usage : write the name of the variable to extract and use its content by 
itself or in an expression. Similarly, constants are used by their name. 

• Assigning a new value: if v is some integral value, e.g., obtained by evalu- 
ating some expression, then x v is an instruction that causes this value 
to be put into x. 

By combining variables and constants from Z with operations like addition 
and multiplication, parenthesized if necessary, we form expressions, which 
are meant to cause the corresponding computation to be carried out. For 
example, the instruction 

x [i] <— (a + b) div c 

causes the current contents of a and b to be added and the result to be divided 
by the constant c. The resulting number is stored in component x [?'] , where 
i is the number currently stored in variable i. 

By comparing the values of numerical expressions with a comparison op- 
erator from {<,>,<,>,=, 7 ^}, we obtain boolean values from {true, false}, 
which may further be combined using the usual boolean operators in {A, V, — >}, 
to yield boolean expressions. 

Further elementary instructions are the return statement that immedi- 
ately finishes the execution of the algorithm, and the break statement that 
causes a loop to be finished. 

Next, we describe ways in which elementary instructions (assignments, re- 
turn, break) may be combined to form more complicated program segments 
or statements. Formally, this is done using an inductive definition. Elemen- 
tary instructions are statements. If stm \, . . . , stm r , r > 1, are statements, 
then the sequence {stmi] ••• stm r \ } is also a statement; the semantics is 
that the statements stm\, . . . , stny. are to be carried out one after the other. 
In our notation for algorithms, we use an indentation scheme to avoid curly 
braces: a consecutive sequence of statements that are indented to the same 
depth is to be thought of as being enclosed in curly braces. 

Further, we use if-then statements and if-then-else statements with the 
obvious semantics. For booLexpr an expression that evaluates to a boolean 
value and stm a statement, the statement 

if booLexpr then stm 

is executed as follows: first the boolean expression is evaluated to some value 
in {true, false}' if and only if the result is true, the (simple or composite) 
statement stm is carried out. Similarly, a statement 

if booLexpr then stm i else stm2 




2.2 O-notation 



15 



is executed as follows: if the value of the boolean expression is true , then stm\ 
is carried out, otherwise stm 2 is carried out. 

In order to be able to write repetitive instructions in a concise way, we 
use for loops, while loops, and repeat loops. A for statement 

for i from expr\ to expr 2 do stm 

has the following semantics. The expressions exp ?q and expr 2 are evalu- 
ated, with integral results n\ and n^- Then the “loop body” ins is executed 
max{ 0 , «2 — nr + 1 } times, once with i containing m, once with i containing 
ni + 1 , . . ., once with i containing n%. Finally i is assigned the value 712 + 1 
(or ni, if ni > 712). It is understood that the loop body does not contain an 
assignment for i. The loop body may contain the special instruction break, 
which, when executed, immediately terminates the execution of the loop, 
without changing the contents of i. Again, we use indentation to indicate 
how far the body of the loop extends. If instead of the keyword to we use 
downto, then the content of i is decreased in each execution of the loop 
body. 

The number of repetitions of a while loop is not calculated beforehand. 
Such a statement, written 

while booLexpr do stm 

has the following semantics. The boolean expression booLexpr is evaluated. 
If the outcome is true, the body stm is carried out once, and we start again 
carrying out the whole while statement. Otherwise the execution of the state- 
ment is finished. 

A repeat statement is similar. It has the syntax 

repeat stm until booLexpr 

and is executed as follows. The statement stm is carried out once. Then the 
boolean expression booLexpr is evaluated. If the result is true, the execution 
of the statement is finished. Otherwise we start again carrying out the whole 
repeat statement. Just as with a for loop, execution of a while loop or a 
repeat loop may also be finished by executing a break statement. 

A special elementary instruction is the operation random. The statement 
random(r), where r > 2 is a number, returns as value a randomly chosen 
element of { 0 , . . . , r — 1 }. If this instruction is used in an algorithm, the result 
becomes a random quantity and the running time might become a random 
variable. If the random instruction is used in an algorithm, we call it a 
“ randomized algorithm ” . 



2.2 O-notation 

In algorithm analysis, it is convenient to have a notation for running times 
which is not clogged up by too much details, because often it is not possible 




16 2. Algorithms for Numbers and Their Complexity 



and often it would even be undesirable to have an exact formula for the 
number of operations. We want to be able to express that the running time 
grows at most “at the rate of log n” with the input n, or that the number of 
bit operations needed for a certain task is roughly proportional to (logn) 3 . 
For this, “O-notation” (read “big-Oh-notation” ) is commonly used. 

We give the definitions and basic rules for manipulating bounds given in 
O-notation. The proofs of the formulas and claims are simple exercises in 
calculus. For more details on O-notation the reader may consult any text on 
the analysis of algorithms (e.g., [15]). 

Definition 2.2.1. For a function /: N — > R + we let 

0(f) = {g | g : N -> R + , 30 > 03?r o Vn > n 0 : g(n) < C ■ f(n )} , 

O(f) = {g | g: N -> R + , 3c > 03n o Vn > n 0 : g(n) > c ■ f(n)} , 

&(f) = o(f)nn(f). 

Alternatively, we may describe 0(/) [or !?(/) or 0(f), resp.] as the set of 
functions g with limsup^^^ < oo [or liminf n ^ oc > 0, or both, 
resp.]. 

Example 2.2.2. Let fi(n) = (logn)*, for i = 1, 2, — 

(a) If g is a function with g(n ) < 50(logn) 2 — lOO(loglogn) 2 for all n > 100, 
then g G 0(/2), and g G O(fi) for all i > 2. 

(b) If g is a function with g(n) > (logn) 3 • (log logn) 2 for all n > 50, then 
g G fi(f 3 ) and g G 0(f 2 ). 

(c) If g is a function with djlogn < g(n) < 15 logn + 5(loglogn) 2 for all 
n > 50, then g G O(fi). 

Thus, O-notation helps us in classifying functions g by simple representative 
growth functions f even if the exact values of the functions g are not known. 
Note that since we demand a certain behavior only for n > no, it does not 
matter if the functions that we consider are not defined or not specified for 
some initial values n < no- 
Usually, one writes: 

g(n) = 0(f(n )) if gGO(f), 1 
g(n ) = 0(f(n)) if g G f2(f), and 
g (n) = 0(f(n)) if g G 0(f) . 

Sometimes, we use 0(f(n)) also as an abbreviation for an arbitrary function 
in O(f); e.g., we might say that algorithm A has a running time of 0(f(n)) 
if the running time tj\_(n) on input n satisfies t^(n) = 0(f(n)). Extending 
this, we write 0(g(n)) = 0(f(n)) if every function in 0(g) is also in O(f). 



1 Read: “g(n) is big-Oh of f(n)” . 




2.2 O-notation 



17 



The reader should be aware that the equality sign is not used in a proper 
way here; in particular, the relation 0(g(n)) = 0(/(n)) is not symmetric. 

In a slight extension of this convention, we write g(n) = 0(1) if there is 
a constant C such that g(n) < C for all n, and g(n) = 17(1) if g(n) > c for 
all n, for some c > 0. 

For example, if the running time f _4 (n) of some algorithm A on input n is 
bounded above by 50(logn) 2 — lO(loglogn) 2 , we write t^n) = 0((logn) 2 ). 
Similarly, if c < fg(n)/(logn) 3 < C for all n > no, we write tg(n) = 
6>((log n) 3 ). 

There are some simple rules for combining estimates in O-notation, which 
we will use without further comment: 

Lemma 2.2.3. (a) if g\(n) = 0(/i(n)) and g 2 (n) = 0(/2(n)), then 
gi(n) + g 2 (n) = 0(max{/i(n), / 2 (n)}); 

(b) if gi(n) = 0(/i(n)) and g 2 (n ) = 0(/ 2 (n)), then 
gi(n) ■ g 2 (n) = 0(/i(n) • f 2 (n)). □ 

For example, if g\(n) = 0((logn) 2 ) and g 2 (n) = 0((logn)(loglogn)), then 
9i(n) +g 2 (n ) = 0((logn) 2 ) and gi(n) ■ g 2 (n ) = 0((logn) 3 (loglogn)). 

We extend the O-notation to functions of two variables and write 

g(n,m) = 0(/(n,m)) 

if there is a constant C > 0 and there are no and mo such that for all 
n > no and m > tuq we have g(n,m) < C ■ f(n,m). Of course, this may be 
generalized to more than two variables. Using this notation, we note another 
rule that is essential in analyzing the running time of loops. It allows us to 
use summation of 0(. . .)-terms. 

Lemma 2.2.4. If g(n,i) = 0(f(n,i)), and G(n,m ) = 9( n > *) an d 

F(n, m) = Ei <i< m /( n u)> then G(n,m) = 0(F(n,m)). □ 

A particular class of time bounds are the polynomials (in logn): Note that 
if g(n) < ad(log?r) d + • • • + <Ji logn + ao for arbitrary integers ad, ■ ■ ■ , ai, ao, 
then g(n) = 0((logn) d ). 

We note that if linin^oo = 0 then 0(/i) C 0(/ 2 ). For example, 
O(logn) C 0((logn)(loglogn)). The following sequence of functions charac- 
terize more and more extensive O-classes: 

log n, (log n) (log log n) , (log n) 3/2 , (log n) 2 , (log n) 2 (log log n) 3 , (log n) 5/2 , 
(logn) 3 , (logn) 4 , . . . , (log n) loglog losTl = 2 ( 1 °s lo « ?l )( lo g lo « lo s 11 ), 
2 (iogio g n) 2 j2 Ukii7i i 2( lo s ?1 )/ 2 = n 3/4 , n/ log n,n,n log log n,n logn. 

In connection with the bit complexity of operations on numbers, like pri- 
mality tests, one often is satisfied with a coarser classification of complexity 
bounds that ignores logarithmic factors. 




18 



2. Algorithms for Numbers and Their Complexity 



Definition 2.2.5. For a function f : N — » R + with lim^-^ /(n) = oo we let 

0~(f) = {g\g:N^ R+,3C > 03n 0 3fcVn > n 0 : g(n) < C-f(n) log(/(n)) fc }. 

Again, we write g{n) = 0~(f(n)) if g € 0~(f). A typical example is the 
bit complexity t(n) = O ( (log n) (log log n) (log log log n)) of the Schonlrage- 
Strassen method for multiplying integers n and m < n [41]. This complexity 
is classified as t(n) = 0~(logn). Likewise, when discussing a time bound 
(log n) 7 ' 5 (log log n) 4 (log log log n) one prefers to concentrate on the most sig- 
nificant factor and write 0~((logn) 7 ' 5 ) instead. The rules from Lemma 2.2.3 
also apply to the “0~-notation” . 



2.3 Complexity of Basic Operations on Numbers 

In this section, we review the complexities of some elementary operations 
with integers. 

For a natural number n > 1, let ||n|| = [log 2 (n + l)] be the number of bits 
in the binary representation of n; let ||0|| = 1. We recall some simple bounds 
on the number of bit operations it takes to perform arithmetic operations 
on natural numbers given in binary representation. The formulas would be 
the same if decimal notation were used, and multiplication and addition or 
subtraction of numbers in {0, 1, . . . , 9} were taken as basic operations. In all 
cases, the number of operations is polynomial in the bit length of the input 
numbers. 

Fact 2.3.1. Let n,m be natural numbers. 

(a) Adding or subtracting n and m takes 0(||n|| + ||m||) = 0(logn + logm) 
bit operations. 

(b) Multiplying m and n takes 0(||n|| • ||m||) = 0(log(n) • log(m)) bit opera- 
tions. 

(c) Computing the quotient n div m and the remainder n mod m takes 
0((||n|| — ||m|| + 1) • ||m||) bit operations. 2 

Proof. In all cases, the methods taught in school, adapted to binary notation, 
yield the claimed bounds. □ 

Addition and subtraction have cost linear in the binary length of the 
input numbers, which is optimal. The simple methods for multiplication and 
division have cost no more than quadratic in the input length. For our main 
theme of polynomial time algorithms this is good enough. However, we note 
that much faster methods are known. 

2 The operations div and mod are defined formally in Definition 3.1.9. 




2.3 Complexity of Basic Operations on Numbers 



19 



Fact 2.3.2. Assume n and m are natural numbers of at most k bits each. 

(a) ([38]) We may multiply m and n with 0(/c(log fc) (log log k)) = 0~(k) bit 
operations. 

(b) ( For example, see [41].) We may compute n div to. and n mod m using 

0(fc(logfc)(loglogfc)) = 0~(k) bit operations. □ 

An interesting and important example for an elementary operation on 
numbers is modular exponentiation. Assume we wish to calculate the number 
210987654321 m0( ] ipl. Clearly, the naive way — carrying out 10987654320 
multiplications and divisions modulo 101 — is inefficient if feasible at all. 
Indeed, if we calculated a n mod m by doing n— 1 multiplications and divisions 
by to, the number of steps needed would grow exponentially in the bit length 
of the input, which is ||a|| + ||n|| + ||m||. 

There is a simple, but very effective trick to speed up this operation, called 
“repeated squaring”. The basic idea is that we may calculate the powers 
Si = a 2 mod to, i > 0, by the recursive formula 

So = a mod n; Si = s 2 _ 1 mod to, for i > 1. 

Thus, k multiplications and divisions by to are sufficient to calculate a 2 mod 
to, for 0 < i < k. Further, if bkbk-i ■ • • & 1 A 0 is the binary representation of n, 
i.e., n = £ 0 <i<Mi=i 2 then 

a n mod to = I Si ] mod to. 

' 0 <i<k ' 
bi — 1 

This means that at most k further multiplications and divisions are sufficient 
to calculate a n mod to. Let us see how this idea works by carrying out the 
calculation for 2 4321 mod 101 (Table 2.1). We precalculate that the binary 
representation of 4321 is bk--;b 0 = 1000011100001. By d we denote the 
partial product TIo<j<i b =i ^ m °d m - It on Iy remains to efficiently obtain 
the bits of the binary representation of n. Here the trivial observation helps 
that the last bit bo is 0 or 1 according as n is even or odd, and that in the 
case n > 2 the preceding bits bk ■ ■ ■ b\ are just the binary representation of 
|_n/2j = a div 2. Thus, a simple iterative procedure yields these bits in the 
order bo,b\, . . . ,bk needed by the method sketched above. If we interleave 
both calculations, we arrive at the following procedure. 

Algorithm 2.3.3 (Fast Modular Exponentiation) 

Input: Integers a, n, and to. > 1. 

Method: 

0 u, s, c: integer; 

1 u <— n; 




20 2. Algorithms for Numbers and Their Complexity 

2 s <— a mod m; 

3 c < — 1; 

4 while u > 1 repeat 

5 if u is odd then c <— (c • s) mod m; 

6 s <— s • s mod m; 

7 u * — u div 2; 

8 return c; 



i 


Si 


bi 


Ci 


0 


CN 

II 

CN 


1 


2 


1 


2 2 = 4 


0 


2 


2 


4 2 = 16 


0 


2 


3 


16 2 mod 101 = 54 


0 


2 


4 


54 2 mod 101 = 88 


0 


2 


5 


88 2 mod 101 = 68 


1 


2 • 68 mod 101 = 35 


6 


68 2 mod 101 = 79 


1 


35 • 79 mod 101 = 38 


7 


79 2 mod 101 = 80 


1 


38 • 80 mod 101 = 10 


8 


80 2 mod 101 = 37 


0 


10 


9 


37 2 mod 101 = 56 


0 


10 


10 


56 2 mod 101 = 5 


0 


10 


11 


5 2 mod 101 = 25 


0 


10 


12 


25 2 mod 101 = 19 


1 


10 ■ 19 mod 101 = 89 



Table 2.1. Exponentiation by repeated squaring 



In line 2 s is initialized with a mod m = a 2 mod m, and u with n. In each 
iteration of the loop, u is halved in line 7; thus when line 5 is executed for the 
(i T l)st time, u contains the number with binary representation bkbk-i ■ ■ ■ hi. 
Further, in line 6 of each iteration, the contents of s are squared (modulo m); 
thus when line 5 is executed for the (i + l)st time, s contains Sj = a 2 mod m. 
The last bit bi of u is used in line 5 to decide whether p should be multiplied 
by Si or not. This entails, by induction, that after carrying out line 5 the ith 
time p contains ^ m °d m. The loop stops when u has become 0, 

which obviously happens after k + 1 iterations have been carried out. At this 
point p contains Tlo<j<fc ^ m °d m, the desired result. 

Lemma 2.3.4. Calculating a n mod m takes O(logn) multiplications and di- 
visions of numbers from {0, . . . ,to 2 — 1}, and 0((logn)(logm) 2 ) ( naive ) resp. 
0~((logn)(logra)) ( advanced methods) bit operations. □ 

It is convenient to here provide an algorithm for testing natural numbers 
for the property of being a perfect power. We say that n > 1 is a perfect 
power if n = a b for some a, b > 2. Obviously, only exponents b with b < logn 




2.3 Complexity of Basic Operations on Numbers 



21 



can satisfy this. The idea is to carry out the following calculation for each 
such h: We may check for any given a < n whether a b < n or a b = n or 
a b > n. (Using the Fast Exponentiation Algorithm 2.3.3 without modulus, 
but cutting off as soon as an intermediate result larger than n appears will 
keep the numbers to be handled smaller than n 2 .) This makes it possible to 
conduct a binary search in {1, . . . , n} for a number a that satisfies a b = n. 

In detail, the algorithm looks as follows: 

Algorithm 2.3.5 (Perfect Power Test) 

Input: Integer n > 2. 

Method: 

0 a, b, c, m: integer; 

1 b <- 2; 

2 while 2 b < n repeat 

3 a <— 1; c <— n; 

4 while c — a > 2 repeat 

5 m <— (a + c) div 2; 

6 p <— min{m b , n + 1}; (* fast exponentiation, truncated *) 

7 if p = n then return (“ perfect power” , m, b); 

8 if p < n then a <— m else c <— m ; 

9 b 4— b + 1; 

10 return “ no perfect power ” ; 

In lines 3-8 a binary search is carried out, maintaining the invariant that 
for the contents a, c of a, c we always have a b < n < c b . In a round, the 
median m = (a + c) div 2 is calculated and (using the fast exponentiation 
algorithm) the power m b is calculated; however, as soon as numbers larger 
than n appear in the calculation, we break off and report the answer n+ 1. In 
this way, numbers larger than n never appear as factors in a multiplication. 
If and when m = (a + c) div 2 satisfies m b — n, the algorithm stops and 
reports success (line 7). Otherwise either a or c is updated to the new value 
m, so that the invariant is maintained. In each round through the loop 3-8 
the number of elements in the interval [a+ 1, c— 1] halves; thus, the loop runs 
for at most logn times before c—b becomes 0 or 1. The outer loop (lines 2-9) 
checks all possible exponents, of which there are [lognj — 1 many. Summing 
up, we obtain: 

Lemma 2.3.6. Testing whether n is a perfect power is not more expen- 
sive than 0((logn) 2 loglogn) multiplications of numbers from {l,...,n}. 
This can be achieved with 0((logn) 4 loglogn) bit operations (naive) or even 
0~((logn) 3 ) bit operations ( fast multiplication). □ 

We remark that using a different approach (“Newton iteration”) algorithms 
for perfect power testing may be devised that need only 0~((logn) 2 ) bit 
operations. (See [41, Sect. 9.6].) 




3. Fundamentals from Number Theory 



In this chapter, we study those notions from number theory that are essen- 
tial for divisibility problems and for the primality problem. It is important to 
understand the notion of greatest common divisors and the Euclidean Algo- 
rithm, which calculates greatest common divisors, and its variants. The Eu- 
clidean Algorithm is the epitome of efficiency among the number-theoretical 
algorithms. Further, we introduce modular arithmetic, which is basic for all 
primality tests considered here. The Chinese Remainder Theorem is a basic 
tool in the analysis of the randomized primality tests. Some important prop- 
erties of prime numbers are studied, in particular the unique factorization 
theorem. Finally, both as a general background and as a basis for the analy- 
sis of the deterministic primality test, some theorems on the density of prime 
numbers in the natural numbers are proved. 



3.1 Divisibility and Greatest Common Divisor 

The actual object of our studies in this book are the natural numbers 
0, 1, 2, 3, . . . and the prime numbers 2, 3, 5, 7, 11, . . .. Still, it is necessary to 
start with considering the set 

Z = {0, 1, — 1, 2, — 2,3, — 3, . . .} 

of integers together with the standard operations of addition, subtraction, 
and multiplication. This structure is algebraically much more convenient than 
the natural numbers. 

Definition 3.1.1. An integer n divides an integer m, in symbols n \ m, if 
nx = m for some integer x. If this is the case we also say that n is a divisor 
of m or that m is a multiple of n. 

Example 3.1.2. Every integer is a multiple of 1 and of — 1; the multiples 
of 3 are 0,3,— 3,6,— 6, 9, —9, .... The number 0 does not divide anything 
excepting 0 itself. On the other hand, 0 is a multiple of every integer. 

We list some elementary properties of the divisibility relation, which will 
be used without further comment later. 

M. Dietzfelbinger: Primality Testing in Polynomial Time, LNCS 3000, pp. 23-53, 2004. 

© Springer- Verlag Berlin Heidelberg 2004 




24 



3. Fundamentals from Number Theory 



Proposition 3 . 1 . 3 . (a) If n \ m and n \ k, then n | ( mu + kv ) for arbitrary 
integers u and v. 

(b) If n , to > 0 and n \ to, then n < m . 

(c) If n | to. and to | k, then n \ k. 

(d) If n | m, then (— n) | m and n | (—to). 

Proof, (a) If m = nx and k = ny, then mu + kv = nfxu + yv). 

(b) Assume to = nx. Then x > 0, which implies x > 1, since x is an integer. 
Thus, to — n = nx — n = n ■ (x — 1) >0. 

(c) If to = nx and k = my, then k = n(xy). 

(d) If to. = nx, then to. = (~n)(—x) and —to = n(— x). □ 

Because of (d) in the preceding proposition, it is enough to study non- 
negative divisors. 

Definition 3 . 1 . 4 . For an integer n, let D(n) denote the set of nonnegative 
divisors of n. 

Example 3.1.5. (a) D( 0) comprises all nonnegative integers. 

(b) D(60) = D(-60) = {1, 2, 3, 4, 5, 6, 10, 12, 15, 20, 30, 60}. 

For n / 0, Zf(n) contains only positive numbers, with 1 among them. By 
Proposition 3.1.3 we have that D(n) = D(—n), that D{n) is partially ordered 
by the relation |, and that it is downward closed under this relation. 

Definition 3 . 1 . 6 . (a) If n and to. are integers, not both 0, then the largest 
integer that divides n and divides to. is called the greatest common di- 
visor of n and to. and denoted by gcd (n, to). 

( Note that the set D{n .) IT D(m ) of common divisors of n and m contains 
1, hence is nonempty, and that it is finite, hence has a maximum.) 

It is convenient to define ( somewhat arbitrarily) gcd(0,0) = 0. 

(b) If gcd(n, to) = 1, then we say that n and to. are relatively prime. 

For example, we have gcd(4, 15) = 1, gcd(4, 6) = 2, gcd(4, 0) = gcd(4, 4) = 4. 
The motivation for the term relatively prime will become clearer below when 
we treat prime numbers. We note some simple rules for manipulating gcd(-, •) 
values. 

Proposition 3 . 1 . 7 . (a) gcd(n,m) = gcd(— n, to) = gcd(n, —to) 

= gcd(— n, —to), for all n,m. In particular, gcd (n,m) = gcd(|n|, \m\). 

(b) gcd(n,n) = gcd(n, 0) = gcd(0,n) = |n| for all integers n. 

(c) gcd(n, to) = gcd(TO,n), for all integers n,m. 

(d) gcd(n, to) = gcd(n + mx, to), for all integers n, to., x. 

Proof, (a) holds because D(n) = D(—n ) for all integers n. 

(b) and (c) are immediate from the definitions. 

(d) If to = 0, the claim is trivially true. Thus, assume to 0, hence D(m) 
is a finite set. Obviously then it is sufficient to note that D(n) fl D(m) = 
D(n + mx) 0 D(m). This is proved as follows: 




3.1 Divisibility and Greatest Common Divisor 



25 



“C” : If n = du and m = dv, then n + mx = d(u + vx) , hence n + mx is a 
multiple of d as well. 

“D”: If n + mx = du and to = dv then n = d(u — vx), hence n is a multiple 
of d as well. □ 

Another important rule for gcd(-,-) calculations will be given in Corol- 
lary 3.1.12. 

Proposition 3.1.8 (Integer Division with Remainder). If n is an 

integer and d is a positive integer ( the divisor or modulus), then there are 
unique integers q ( the quotient) and r ( the remainder) such that 

n = dq + r and 0 < r < d. 



There are quite efficient algorithms for finding such numbers q and r from 
n and d, discussed in Sect. 2.3. Here, we prove existence and uniqueness 
(indicating a very inefficient algorithm for the task of finding q and r). 

Proof. Existence: Let q be the maximal integer such that qd < a. (Since 
(— \n\)d < n < (|n| + l)d, this q is well defined and can in principle be found 
by searching through a finite set of integers.) The choice of q implies that 
qd < n < (q + 1 )d. We define r = n— qd, and conclude 0 < r < d, as desired. 
Uniqueness: Assume n = qd + r = q'd + r' , for 0 < r,r' < d. By symmetry, 
we may assume that r' — r > 0; obviously, then, 0 < r' — r < d. Hence 
0 = (q' — q)d + ( r ' — r), which means that r' — r is a multiple of d. By 
Proposition 3.1.3(b), the only multiple of d in {0, 1, . . . , d — 1} is 0, hence we 
must have r = r' . This in turn implies qd = q'd, from which we get q = q' , 
since d is nonzero. □ 

The operation of division with remainder is so important that we intro- 
duce special notation for it. 

Definition 3.1.9. For an integer n and a positive integer d we let 

n mod d = r, and 
n div d = q, 



where r and q are the uniquely determined numbers that satisfy n = qd + r, 
0 < r < d, as in Proposition 3.1.8. 

Note that n div d = \n/d\, which denotes the largest integer not exceed- 
ing n/d. (See Appendix A. 2.) 

Examples: 



16 div 4 = 4, 

9 div 4 = 2, 

3 div 4 = 0, 

0 div 4 = 0, 

-2 div 4 = -1, 
—9 div 4 = —3, 



16 mod 4 = 0, 
9 mod 4=1, 
3 mod 4 = 3, 
0 mod 4 = 0, 
—2 mod 4 = 2, 
—9 mod 4 = 3. 




26 



3. Fundamentals from Number Theory 



The following property of division with remainder is essential for the 
Euclidean Algorithm, an efficient method for calculating the greatest common 
divisor of two numbers (see Sect. 3.2). 

Proposition 3.1.10. If m > 1, then gcd(n, m) = gcd(n mod m, m) for all 
integers n. 

Proof. Since n mod m = n — qrn for q = n div to, this is a special case of 
Proposition 3.1.7(d). □ 

The greatest common divisor of n and to has an important property, 
which is basic for many arguments and constructions in this book: it is an 
integral linear combination of n and to. 

Proposition 3.1.11. For arbitrary integers n and m there are integers x 
and y such that 

gcd (n, to) = nx + my. 

Proof. If n = 0 or to = 0, either (x,y) = (1, 1) or (x,y) = (—1, —1) will be 
suitable. So assume both n and to are nonzero. Let I = {nu + mv \ u,v £ Z}. 
Then I has positive elements, e.g., n 2 + to 2 is a positive element of I. Choose 
x and y so that d = nx + my > 0 is the smallest positive element in I. We 
claim that d = gcd(n, to). 

For this we must show that 

(i) d £ D(n) D D(m), and that 

(ii) all positive elements of D(n) D D(m) divide d. 

Assertion (ii) is simple: use that if k divides n and to, then k divides nx and 
my, hence also the sum d = nx + my. To prove (i), we show that d divides n; 
the proof for to is the same. By Proposition 3.1.8, we may write n = dq + r 
for some integer q and some r with 0 < r < d. Thus, 

r = n — dq = n— {nx + my)q = n(l — xq) + m(—yq), 

which shows that r £ I. Now d was chosen to be the smallest positive element 
of I, and r < d, so it must be the case that r = 0, which implies that n = dq. 
Thus d is a divisor of n, as desired. □ 

Corollary 3.1.12. For all integers n and to, and k > 0 we have 

gcd {kn, km) = k • gcd(n, m). 

Proof. If n = to = 0, there is nothing to show. Thus, assume that d = 
gcd (n,m) > 0, and write d = nx + my for integers x and y. Then kd = 
{kn)x + ( km)y , hence every common divisor of kn and km divides kd. On 
the other hand, it is clear that kd divides both kn and km.. Thus, kd = 
gcd {kn,km). □ 

The following most important special case of Proposition 3.1.11 will be 
used without further comment later. 




3.2 The Euclidean Algorithm 



27 



Proposition 3.1.13. For integers n and m the following are equivalent: 

(i) n and m are relatively prime, and 

(ii) there are integers x and y so that 1 = nx + my. 

Proof, (i) => (ii) is just Proposition 3.1.11 for 1 = gcd(n,m). For the 

direction (ii) => (i), note that if 1 = nx + my, then n and to cannot be both 
0, and every common divisor of n and to . also divides 1 , hence gcd(n, to) = 1 . 

□ 

For example, for n = 20 and to = 33 we have 1 = 33 • (—3) + 20-5 = 
33 • 17 + 20 • (—28). More generally, if nx + my = 1, then clearly n(x + um) + 
m(y — un) = 1 for arbitrary u £ Z. 

We note two consequences of Proposition 3.1.13. 

Corollary 3.1.14. For all integers n, m, and k we have: If n and k are 
relatively prime, then gcd(n, mfc) = gcd (n, to). 

Proof. Since n and k are relatively prime, we can write 1 = nx + ky for 
suitable integers x, y. This implies to = n{mx) + ( mk)y , from which it is 
immediate that every common divisor of n and mk also divides m. Thus, 
D(n) D D(m ) = D{n) 0 D(mk ), which implies the claim. □ 

Proposition 3.1.15. If n and to. are relatively prime integers, and n and to 
both divide k, then nm divides k. 

Proof. Assume k = ns and k = mt, for integers s, t. By Proposition 3.1.13 
we may write 1 = nx + my for integers x and y. Then 

k = k ■ nx + k • my = mi ■ nx + ns • my = (tx + sy) ■ nm, 

which proves the claim. □ 

Continuing the example just mentioned, let us take the number 7920, 
which equals 20 • 396 and 33 • 240. Using the argument from the previous 
proof, we see that 7920 = (396 • (-3) + 240 • 5) • (20 • 33) = 12 • (20 • 33). 



3.2 The Euclidean Algorithm 

The Euclidean Algorithm is a cornerstone in the area of number-theoretic al- 
gorithms. It provides an extremely efficient method for calculating the great- 
est common divisor of two natural numbers. An extended version even cal- 
culates a representation of the greatest common divisor of n and to as a 
linear combination of n and to (see Proposition 3.1.11). The algorithm is 
based on the repeated application of the rule noted as Proposition 3.1.10. We 
start with the classical Euclidean Algorithm, formulated in the simplest way. 
(There are other formulations, notably ones that use recursion.) 




28 



3. Fundamentals from Number Theory 



Algorithm 3.2.1 (Euclidean Algorithm) 

Input: Two integers n, to. 

Method: 

0 a, b: integer; 

1 if \n\ > \m\ 

2 then a <— |n|; b |m|; 

3 else b <— |m|; a 4— |n|; 

4 while b > 0 repeat 

5 (a, b) <— (b, a mod b); 

6 return a; 

In lines 1-3 the absolute values of the input numbers n and m are placed into 
the variables a and b in such a way that b is not larger than a. Lines 4 and 5 
form a loop. In each iteration of the loop the remainder a mod b is computed 
and placed into b (as the divisor in the next iteration); simultaneously, the 
old value of b is put into a. In this way, the algorithm generates a sequence 

(a 0 ,b o),(ai,6i),...,(a t ,6 t ), 

where {ao,6o} = {|n|, |m|} and a* = 6j_i, bi = cq_i mod 6j_j, for 1 < i < t, 
and b t = 0. 

For an example, consider Table 3.1, in which is listed the sequence of 
numbers that the algorithm generates on input n = 10534, m = 12742. The 
numbers a; and bi are the contents of variables a and b after the loop has been 
executed i times. The value returned is 46. We will see in a moment that this 



i 


di 


bi 


0 


12742 


10534 


1 


10534 


2208 


2 


2208 


1702 


3 


1702 


506 


4 


506 


184 


5 


184 


138 


6 


138 


46 


7 


46 


0 



Table 3.1. The Euclidean Algorithm on n = 10534 and m = 12742 



means that the greatest common divisor of 10536 and 12742 is 46. Indeed, 
it is not hard to see that the Euclidean Algorithm always returns the value 
gcd(n,m), for integers n and m. To see this, we prove a “loop invariant”. 

Lemma 3.2.2. (a) For the pair ( a,, 6; ) stored in a and b after the loop in 
lines 4 and 5 has been carried out for the ith time we have 

gcd (ai,bi) = gcd(n, to). 



(3.2.1) 




3.2 The Euclidean Algorithm 



29 



(b) On input n,m, Algorithm, 3.2.1 returns the greatest common divisor of 
m and n. If both m and n are 0, the value returned is also 0. 

Proof, (a) We use induction on i. By Proposition 3.1.7(a) and (c), gcd(ao, bo) 
= gcd (n, to), since {ao,bo} = {|n|, |m|}. Further, for i > 1, 

gcd (aubi) = gcd(6 i _i,a i _i mod 6*_i) = gcd(aj_i, 6»_i) = gcd(n,m), 

by the instruction in line 5, Proposition 3.1.10, and the induction hypothesis, 
(b) It is obvious that in case n = to = 0 the loop is never performed and the 
value returned is 0. Thus assume that n and to are not both 0. To see that 
the loop terminates, it is sufficient to observe that bo, b\, b 2 , ■ ■ . is a strictly 
decreasing sequence of integers, hence there must be some t with = 0. That 
means that after finitely many executions of the loop variable b will get the 
value 0, and the loop terminates. For the content at of a at this point, which 
is the returned value, we have at. = gcd(a*,0) = gcd(n, m), by part (a) and 
Proposition 3.1.7(b). □ 

Next, we analyze the complexity of the Euclidean Algorithm. It will turn 
out that it has a running time linear in the number of bits of the input 
numbers (in terms of arithmetic operations) and quadratic cost (in terms 
of bit operations). In fact, the cost is not more than that of multiplying to 
and n (in binary) by the naive method. This means that on a computer the 
Euclidean Algorithm can be carried out very quickly for numbers that have 
hundreds of bits, and in reasonable time even if they have thousands of bits. 

Lemma 3.2.3. Assume Algorithm 3.2.1 is run on input n, to. Then we have: 

(a) The loop in lines 4 and 5 is carried out at most 2min{||n||, 1 1 to. 1 1 } = 
0(min{log(n), log(m)}) times. 

(b) The number of bit operations made is O (log (n) log (to)). 

Proof, (a) We have already seen in the previous proof that the numbers 
bo,bi,. . . form a strictly decreasing sequence. A closer look reveals that the 
decrease is quite fast. Consider three subsequent values bi, &i+i, &j+ 2 - 

Case 1: b i+1 > \ bi = \a i+ 1 . Then b i+2 = a*+i - b i+ \ < \bi . 

Case 2: 6 i+ i < \bi = \a i+ 1 . Then b i+2 = a i+ 1 mod b i+1 < b i+1 < \bi . 

This means that in two rounds the bit length of the content of variable b is 
reduced by 1 (unless it has reached the value 0 anyway). Thus, after at most 
2min{||n||, ||m||} executions of the loop b contains 0, and the loop stops. 

(b) Even if we use the naive method for dividing at by bi (in binary 
notation), 0((||aj|| — ||6j|| + 1) • ||&;||) bit operations are sufficient for this 
operation, see Fact 2.3.1(c). Note that bi = Oj+i, for 0 < i < t, and hence 

( \\ai || - ||bi|| + 1) ||6* || = || ai || • ||6i|| - I|a i+ i|| ■ ||6i|| + ||6i|| < (||oi|| - ||ai+i||)||M + HM- 

Thus, the total number of bit operations needed in lines 4 and 5 can be 
bounded by 




30 



3. Fundamentals from Number Theory 



E o((|H|- |N| + 1)116,11) 

0 <£<t 

= 0 ( E ((lklMk+i||)||6 0 || + |N|^ 

0 <i<t 

= 0(||ao||-||6o||+i||6 0 ||) = 0(H|.||m||). 

The comparison in line 1 of the algorithm takes 0(||n|| + ||m||) bit operations. 
Thus the overall cost is 0(||n|| • ||m||) = 0(log(n) log(m)), as claimed. □ 
We now turn to an extended version of the Euclidean Algorithm. We have 
noted in Proposition 3.1.11 that the greatest common divisor d of n and m 
can be written as 

d = nx + my , 

for certain integers x and y. In our example from Table 3.1, we can write 

46 = 12742 • (-62) + 10534 • 75 = 12742 • 167 + 10534 • (-202), 

as is easily checked using a pocket calculator. Actually, there are infinitely 
many such pairs x , y , since if d = nx + my, then obviously we also have 
d = n(x + k(m/d)) + m(y — k{n/d)), for arbitrary k £ Z. But how to find the 
first such pair? Slightly extending the Euclidean Algorithm helps. 

Algorithm 3.2.4 (Extended Euclidean Algorithm) 

Input: Two integers n and m. 

Method: 

0 a, b, xa, ya, xb, yb: integer; 

1 if |n| > |m| 

2 then a <— |n|; b <— |m|; 

3 xa 4 — sign(n); ya <— 0; xb <— 0; yb <— sign(m); 

4 else a <— |m|; b 4— |n|; 

5 xa 4 — 0; ya <— sign(m); xb 4— sign(n); yb 4- 0; 

6 while b > 0 repeat 

7 q 4 - a div b; 

8 ( a , b) <— (b, a — q ■ b); 

9 (xa, ya, xb, yb) 4- (xb, yb, xa - q • xb, ya - q • yb); 

10 return (a, xa, ya); 

In the algorithm we use the signum function, defined by 
f 1 , if n > 0, 

sign(n) = | 0 , if n = 0, (3.2.2) 

1—1 , if n < 0, 



with the basic property that 
n = sign(n) • |n| for all n. 



(3.2.3) 




3.2 The Euclidean Algorithm 



31 



We note that with respect to the variables a and b nothing has changed in 
comparison to the original Euclidean Algorithm, since a — q ■ b is the same as 
a mod b. But an additional quadruple of numbers is carried along in variables 
xa, ya, xb, yb. These variables are initialized in lines 3 and 5 and change in 
parallel with a and b in the body of the loop. Finally, in line 10 the contents 
of xa and ya are returned along with gcd(n, m). We want to see that these 
two numbers are the coefficients we are looking for. 

Let x a ,i , y a ,i j Xb,i, Ub,i denote the contents of the variables xa, ya, xb, 
yb after the loop in lines 6-9 has been carried out i times. Table 3.2 gives 
the numbers obtained in the course of the computation if Algorithm 3.2.4 is 
applied to the same numbers as in the example from Table 3.1. For complete- 
ness, also the quotients qi = a^-i div h;_i, i = 1, . . . , 7, are listed. 



i 


ai 


hi 


%a,i 


Va,i 


•Eb,i 


Vb,i 




0 


12742 


10534 


0 


l 


l 


0 


- 


1 


10534 


2208 


l 


0 


-l 


l 


1 


2 


2208 


1702 


-l 


l 


5 


-4 


4 


3 


1702 


506 


5 


-4 


-6 


5 


1 


4 


506 


184 


-6 


5 


23 


-19 


3 


5 


184 


138 


23 


-19 


-52 


43 


2 


6 


138 


46 


-52 


43 


75 


-62 


1 


7 


46 


0 


75 


-62 


-277 


229 


3 



Table 3.2. The Extended Euclidean Algorithm on n = 10534 and m = 12742 

The output is the triple (46, 75, —62). We have already noted that 75 and 
—62 are coefficients that may be used for writing d = gcd(n, m) as a linear 
combination of n and m. The following lemma states that the result of the 
Extended Euclidean Algorithm always has this property. 

Lemma 3.2.5. If on input n,m the extended Euclidean Algorithm outputs 
(d, x , y), then d = gcd(n, m) = nx + my. 

Proof. We have seen before that when the algorithm terminates after t exe- 
cutions of the loop, variable a contains d = gcd(n, m). For the other part of 
the claim, we prove by induction on i that for all i < t we have 



o,i = nx at i + my a> i and b t = nx b g + my bti . (3.2.4) 

For i = 0, (3.2.4) holds by (3.2.3) and the way the variables are initialized 
in lines 1-5. For the induction step, assume (3.2.4) holds for i — 1. Then we 
have, by the way the variables are updated in the itli iteration of the loop: 

CLi = h - 1 = nx b ,i~i + my b g - 1 = nx a ,i + my a ,i, 




32 



3. Fundamentals from Number Theory 



and 

bi = aj_i-gA_i = nXaj-i+myaA-i — qiinxbj-i+myb'i-i) = nx b:i +my bti . 

In particular, the coefficients x a j and y ajt stored in xa and ya after the last 
iteration of the loop satisfy gcd(n, m) = at = nx a j. + my a ,t , as claimed. □ 
Concerning the running time of the Extended Euclidean Algorithm, we 
note that the analysis in Lemma 3.2.3(a) carries over, so on input n, m 
0(min{log(n), log(m)}) arithmetic operations are carried out. As for the cost 
in terms of bit operations, we note without proof that the number of bit 
operations is bounded by 0(log(n) log(m)) just as in the case of the simple 
Euclidean Algorithm. 



3.3 Modular Arithmetic 

We now turn to a different view on remainders: modular arithmetic. Let 
to > 2 be given (the “ modulus ”). We want to say that looking at an integer 
a we are not really interested in a but only in the remainder a mod m. Thus, 
all numbers that leave the same remainder when divided by m are considered 
“similar” . We define a binary relation on Z. 

Definition 3.3.1. Let m. > 2 be given. For arbitrary integers a and b we say 
that a is congruent to b modulo m and write 

a = b (mod m) 

if a mod m = b mod m. 

The definition immediately implies the following properties of the binary 
relation “congruence modulo m”. 

Lemma 3.3.2. Congruence modido m is an equivalence relation, i. e... we 
have 

Reflexivity: a = a (mod to) , 

Symmetry: a = b (mod to) implies b = a (mod to) , and 

Transitivity: a = b (mod to) and b = c (mod to) implies a = c (mod to) . □ 

Further, it is almost immediate from the definitions of a mod to and of = 
that 



a = b (mod to) if and only if to divides b — a. (3.3.5) 

(Write a = mq + r and b = mq' + r' with 0 < r, r' < to. Then b — a = 
m{q' — q) + (r' — r) is divisible by to if and only if r' — r is divisible by to. But 
| r' — rj < to, so the latter is equivalent to r = r' .) Property (3.3.5) is often 
used as the definition of the congruence relation. It is important to note that 
this relation is compatible with the arithmetic operations on Z (which fact is 
expressed by using the word “congruence relation”). 




3.3 Modular Arithmetic 



33 



Lemma 3.3.3. If a = a' (mod to) and b=b' (mod m), then a + b= a' + b' 
(mod m) and a ■ b = a' ■ b' (mod m), for all a,a\b,b' £ Z. Consequently, if 
a = a' and n > 0 is arbitrary, then a n = ( a') n (mod to). 

Proof. As an example, we consider the multiplicative rule. Write a' = a + qm 
and b 1 = b + rm. . Then a' ■ b' = a ■ b + ( qb + ar + qrm)m . , which implies that 
a ■ b = a' ■ b' (mod to). □ 

In many cases, this lemma makes calculating a remainder /(ai, . . . ,a r ) 
mod to. easier, for f(x \, . . . , x r ) an arbitrary arithmetic expression. We will 
use it without further comment by freely substituting equivalent terms in 
calculations. To demonstrate the power of these rules, consider the task of 
calculating the remainder (751 100 — 22 59 ) mod 4. Using Lemma 3.3.3, we see 
(since 751 = 3, 3 2 = 1, 22 = 2, and 2 2 = 0, all modulo 4): 

751 100 - 22 59 = 3 100 - 2 • (2 2 ) 29 = (3 2 ) 50 - 2 • 0 = l 50 = 1 (mod 4), 

and hence (751 100 — 22 59 ) mod 4 = 1. 

Like all equivalence relations, congruence modulo m splits its ground set 
Z into equivalence classes (or congruence classes). There is exactly one 
equivalence class for each remainder r€{0,l,...,m— 1}, since a is congruent 
to a mod to € {0, 1, . . . , to — 1} and distinct r, r' € {0, 1, . . . , to — 1} cannot 
be congruent. For m = 4 these equivalence classes are: 

{a € Z | a mod 4 = 0} = { . . . , —12, —8, —4, 0, 4, 8, 12, . . . }, 

{a G Z | a mod 4 = 1} = { . . . , -11, -7, -3, 1, 5, 9, 13, . . . }, 

{a € Z j a mod 4 = 2} = { . . . , —10, —6, —2, 2, 6, 10, 14, . . . }, 

{a G Z | a mod 4 = 3} = { . . . , -9,-5, -1, 3, 7, 11, 15, . . . }. 

We introduce an arithmetic structure on these classes. For convenience, 
we use the standard representatives from {0, 1, . . . , m — 1} as names for the 
classes, and calculate with these representatives. 

Definition 3.3.4. For m > 2 let hm be the set {0,1,..., to— 1}. On this 
set the following two operations + m ( addition modulo to) and ■ m ( multi- 
plication modulo to) are defined: 

a + m b = (a + b) mod to and a- m b = (a-b) mod to. 

(The subscript to. at the operation symbols is omitted if no confusion arises.) 

The operations + m and - m obey the standard arithmetic laws known 
from the integers: associativity, commutativity, distributivity. Moreover, both 
operations have neutral elements, and + m has inverses. 

Lemma 3.3.5. (a) a + m b = b + m a and a - m b — b - m a, for a,b £ Z m . 

(b) (a +m b) +m C = a + m ( b + m c) and (a - m b) - m c = a - m (b - m c), for 
CL, b) C G ^ m • 




34 



3. Fundamentals from Number Theory 



(c) (ft ‘m C — a * m C + m 6 * m C, foT a,b } C £ Z m . 

(d) a + m 0 = 0 + m a = a and a - m 1 = 1 - m a = a, for a £ Z m . 

(e) a + m (m — a) = (m — a) + m a = 0, for a € Z m . 

Proof. The proofs of these rules all follow the same pattern, namely one shows 

that the expressions involved are congruent modulo m, and then concludes 
that their remainders are equal. For example, the distributivity law (c) is 
proved as follows: Using Lemma 3.3.3 and the fact that always (a mod m) = a 
(mod m), we get 

(a + m b) • c = ((a + b) mod m) ■ c = (a + b)c (mod m) 



and 

a-mC+b- m c= ( ac mod m) + (be mod m) = ac + be = ( a + b)c (mod m) . 

By transitivity, (a + m b) ■ c = a - m c + b - m c (mod m), hence (a + m b) ■ m c = 
((a +m b) • c) mod m = (a - m c + b - m c) mod m = a - m c + m b - m c. □ 

Since 0 - m a = 0 for all a, the element 0 is uninteresting when looking 
at multiplication modulo m. Very often, the set Z m — {0} is not a “nice” 
structure with respect to multiplication modulo m, since it is not closed under 
this operation. For example, 12 -is 9 = 108 mod 18 = 0. More generally, if 
d = gcd(a, m) > 1, then b = gcd ^ m) < m and a- m b= gcd( ° m) • m mod m = 
0. But note the following cancellation rule. 

Proposition 3.3.6 (Cancellation Rule). 

(a) If m | ab and ged (m, a) = 1, then m divides b. 

(b) If ab = ac (mod m) and gcd(m, a) = 1, then b = c (mod m). 

Proof, (a) We write 1 = mx + ay. Then b = m(bx) + (ab)y. Since m divides 
ab by assumption, a must divide b. 

(b) Assume that ab = ac (mod m), i.e., a(b — c) = 0 (mod to). This means 
that to divides a(b — c). By (a), we conclude that m divides b — c, that means 
b = c (mod to). □ 

Elements a with gcd(a,m.) = 1 play a special role in Z m , because on this 
set the operation - m behaves nicely. 

Definition 3.3.7. For m > 1 let 

= {a | 1 < ft < to, gcd(ft, to) = 1} and <f(m) = |Z^J . 

The function <f> is called Euler’s if -function or Euler’s totient function. 

Proposition 3.3.8. (a) 1 € Z^. 

(b) If a,b £Z* m , then a -mb £Z* m . 

(c) ft £ Z* m if and only if there is some b £ Z m with a - m b = 1. 




3.4 The Chinese Remainder Theorem 



35 



Proof, (a) is trivial. — For (b) and (c) we make heavy use of Proposi- 
tion 3.1.13: 

(b) Assume gcd(a,m) = gcd ( 6 , to) = 1. We write 
1 = ax + my and 1 = bu + mv, 

for integers x, y. u, v. Then 

( ab ) • (xu) = ( ax)(bu ) = (1 — my) ■ (1 — mv) = 1 — m(y + v — myv), 

hence gcd(a&, m) = 1. By Proposition 3.1.10, this implies gcd(a& mod to, to) = 
1 . 

(c) Assume gcd(a, to) = 1. Then there are integers x and y with 
1 = ax + my. 

This implies ax — 1 = — my = 0 (mod to). Let b = x mod m. Then ab = 
ax = 1 (mod m), which implies that a - m b = 1 . 

“4=”: Assume ab mod m = 1. This means that ab — 1 = mx for some x , which 
implies gcd (a, to) = 1 . □ 

Note that by the formula in the proof of (c) “=>” it is implied that for 
a £ Z* m some b with a - m b = 1 can be found efficiently by applying the 
Extended Euclidean Algorithm 3.2.4 to a and to. 

Example 3.3.9. (a) In Z 7 = {1, 2, 3, 4, 5, 6 } we have 3 -7 3 = 2 and 3 - 75 = 1 . 
By inspection, tp( 7) = 6 . 

(b) In Z} 5 = {1, 2, 4, 7, 8 , 11, 13, 14} the products 4 -i 5 1, 4-i 5 2, 4-i 5 4, . . . , 4-i 5 14 
of 4 with elements of Z} 5 are 4, 8, 1, 13, 2, 14, 7, 11. By inspection, </?(15) = 8 . 

(c) In Z* 27 = {1,2, 4, 5, 7, 8, 10, 11, 13, 14, 16, 17, 19, 20, 22, 23, 25, 26} we have 
8 -27 17 = 1. By inspection, ip( 27) = 18. 

In Sect. 3.5 we will see how to calculate <p(n) for numbers n whose prime 
decomposition is known. 



3.4 The Chinese Remainder Theorem 

We start with an example. Consider 24 = 3 • 8 , a product of two numbers 
that are relatively prime. We set up a table of the remainders a mod 3 and 
a mod 8 , for 0 < a < 24. (Note that if a £ Z is arbitrary, then a mod 3 = 
(a mod 24) mod 3, so the remainders modulo 3 (and 8 ) of other numbers are 
obtained by cyclically extending the table.) 

If in Table 3.3 we consider the entries in rows 2 and 3 and rows 5 
and 6 as 24 pairs in Z 3 x Z§, we observe that these are all different, 
hence cover all 24 possibilities in {0,1,2} x {0,1,.. .,7}. Thus the mapping 
a 1 — > (a mod 3, a mod 8 ) is a bijection between Z 24 and Z 3 x Zg. But more 
is true: arithmetic operations carried out with elements of {0, 1, . . . , 23} are 




36 



3. Fundamentals from Number Theory 



a 


0 


1 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


a mod 3 


0 


1 


2 


0 


1 


2 


0 


1 


2 


0 


1 


2 


a mod 8 


0 


1 


2 


3 


4 


5 


6 


7 


0 


1 


2 


3 



a 


12 


13 


14 


15 


16 


17 


18 


19 


20 


21 


22 


23 


a mod 3 


0 


1 


2 


0 


1 


2 


0 


1 


2 


0 


1 


2 


a mod 8 


4 


5 


6 


7 


0 


1 


2 


3 


4 


5 


6 


7 



Table 3.3. Remainders of 0, 1, . . . , 23 modulo 3 and modulo 8 



mirrored in the remainders modulo 3 and 8. For example, addition of the 
pairs ( 2 , 7 ) and ( 2 , 1 ) yields ( 1 , 0 ), which corresponds to adding 23 and 17 to 
obtain 40 = 16 (mod 24 ). Similarly, 

( 2 5 mod 3 , 3 5 mod 8) = ( 2 , 3 ), 

which corresponds to the observation that ll 5 mod 24 = 5 . 

The Chinese Remainder Theorem says in essence that such a structural 
connection between the remainders modulo n and pairs of remainders modulo 
ni, ri2 will hold whenever n = 7iiri2 for m, n 2 relatively prime. 

Theorem 3.4.1. Let n = n\ri 2 for n\, ri 2 relatively prime. Then the map- 
ping 

<P: Z„ — > Z ni x Z„ 2 , a 1— > (a mod n\ 1 a mod n 2) 

is a bijection. Moreover, if T’(a) = (01,02) and <L>(b) = (61,62), then 

(a) <P(a + n 6) = (ai + ni 61, 02 +n 2 62); 

(b) <T{a ■ n 6) = (ai - ni 61, o 2 - n2 6 2 ); 

(c) <P(a m mod n) = ((ai) m mod m, (02)™ mod 712), for m > 0. 

Proof. We show that is one-to-one. (Since |Z„| =n = n\ri2 = \ Z ni x Z„ 2 |, 
this implies that ^ is a bijection.) Thus, assume 0 < a < 6 < n and <L(a) = 
<P(b), i.e., 

o mod ni = 6 mod ni and a mod ri2 = 6 mod n.2. 

We rewrite this as 

(6 — a) mod ni = 0 and (6 — a) mod n 2 = 0, 

i.e., 6 — a is divisible by ni and by 712 . Since n\ and 712 are relatively prime, we 
conclude by Proposition 3 . 1.15 that n divides 6 — a. Since 0 < 6 — a < n, this 
implies that a = 6 . Altogether this means that <P is one-to-one, as claimed. 





3.4 The Chinese Remainder Theorem 



37 



As for the rules (a)-(c), we only look at part (b) and show that 
&(a ■ n b ) = (a\ - ni bi, a 2 -„ 2 b 2 ). (3.4.6) 

(Parts (a) and (c) are proved similarly.) By the assumptions, we have 
a = a\ mod rii and b=b\ mod n\. 

By Lemma 3.3.3, this implies a • b = a± • b± (mod m). On the other hand, 
since ni divides n, we have a ■ b = ((a ■ b) mod n) = a - n b (mod ni). By 
transitivity, we get (a •„ b) mod ni = ai • ni bi, which is one half of (3.4.6). 
The other half, concerning n 2 ,a 2 ,b 2 , is proved in the same way. □ 

Theorem 3.4.1 may be interpreted as to say that calculating modulo n is 
equivalent to calculating “componentwise” modulo n\ and n 2 . Further, we 
will often use it in the following form. Prescribing the remainders modulo n\ 
and n 2 determines uniquely a number in {0, . . . , n — 1}. 

Corollary 3.4.2. If n = n\n 2 for n\, n 2 relatively prime, then for arbitrary 
integers X\ and x 2 there is exactly one a € Z n with 

a = x i (mod ni) and a = x 2 (mod n 2 ). (3.4.7) 

Proof. Define ai = aq mod n\ and a 2 = x 2 mod n 2 . By Theorem 3.4.1 there 
is exactly one a € Z n such that 

a = a\ (mod ni) and a = x 2 (mod n 2 ). (3.4.8) 

This a is as required. Uniqueness follows from the fact that all solutions a to 
(3.4.7) must satisfy (3.4.8), and that this is unique by Theorem 3.4.1. □ 

The Chinese Remainder Theorem can be generalized to an arbitrarily 
large finite number of factors. 

Theorem 3.4.3. Let n = n\ ■ ■ ■ n r for n \ . , n r relatively prime. Then the 
mapping 

<P : Z„ — » Z ni x • • • x Z„ r , on (a mod n \ , . . . , a mod n r ) 

is a bijection, with isomorphism properties (a)-(c) analogous to those formu- 
lated in Theorem 3.f.l. 

Proof. We just indicate the proof of the claim that <1 is a bijection. Since 

n — |Z„ | — Tl — Til ' ' ' fir — |^ni x * * * x Z„ r | , 

again it is sufficient to show that <h is one-to-one. Assume 0 < a < b < n and 

(a mod ni, . . . , a mod n r ) = ( b mod n\,...,b mod n r ). 

Then b — a is divisible by n \, . . . , n r , and since these numbers are relatively 
prime, b — a is also divisible by n. Since 0 < b — a < n, we conclude a = b. 




38 



3. Fundamentals from Number Theory 



The isomorphism properties are easily checked, just as in the case with two 
factors. □ 

It is an interesting and important consequence of the Chinese Remainder 
Theorem that <P also provides a bijection between Z* and Z* ± x Z* 2 . For 
example, in Table 3.3 the elements 1, 5, 7, 11, 13, 17, 19, 23 of Z 24 are mapped 
to the pairs (1, 1), (2, 5), (1, 7), (2, 3), (1, 5), (2, 1), (1, 3), (2, 7) of Z| x Z§. 

Lemma 3.4.4. Assume n = niu .2 for relatively prime factors n\ and 7 x 2 , 
and <P( a ) = ( 01 , 02 ). Then a £ Z* if and only if ai € Z* and 02 € Z * . 

Proof. For both directions, we intensively use Proposition 3.1.13. 

Assume a € Z* . Write 1 = au + nv for integers u and v. We know that 
a = 01 + kn\ for k = a div m. Hence 

1 = (01 + kn\)u + nv = a±u + (. ku + n 2 v)n±, 

which implies that ai £ Z* . The proof that 02 £ Z* is identical. 

“ 4 =”: Assume ai £ Z * 2 and 02 £ Z* 2 . Write 

1 = aitti + niUi and 1 = 02112 + U 2 V 2 , 

for suitable integers Ui,Vi,U 2 ,V 2 - By Corollary 3.4.2 there is some u £ Z* 
with u = U\ (mod ni) and u = U 2 (mod n 2 ). Then 

au = a±ui = 1 (mod m) and au = 02^2 = 1 (mod 712 ). 

Using Corollary 3.4.2 again we conclude that au = 1 (mod n), or a - n u = 1, 
and hence that a £ Z* by Proposition 3.3.8(c). □ 

Corollary 3.4.5. If n = n\n 2 for n\, n 2 relatively prime, then <p(n) = 
<p(ni) ■ <p(n 2 ). 

Proof. Using the previous lemma, we have 

P(n) = \K\ = l Z m I ' \K 2 1 = <P( n i) ' Pina). □ 

3.5 Prime Numbers 

In this section, we consider prime numbers and establish some basic facts 
about them. In particular, we state and prove the fundamental theorem of 
arithmetic, which says that every positive integer can be written as a product 
of prime numbers in a unique way. 




3.5 Prime Numbers 



39 



3.5.1 Basic Observations and the Sieve of Eratosthenes 

Definition 3.5.1. A positive integer n is a prime number or a prime for 
short, if n > 1 and there is no number that divides n excepting 1 and n. If n 
is divisible by some a, 1 < a < n, then n is a composite number. 

Here is a list of the 25 prime numbers between 1 and 100: 

2,3,5,7,11,13,17,19,23,29,31,37,41,43,47,53,59,61,67,71,73,79,83,89,97. 

For example, 2 is a prime number, and 3, but 4 is not, since 4=2-2, and 6 
is not, since 6 = 2-3. 

Here is a first basic fact about the relationship between natural numbers 
and prime numbers, which is more or less immediate. 

Lemma 3.5.2. If n > 2, then n is divisible by some prime number. 

Proof. If n has no proper divisor, then n is a prime number, and of course 
n divides n. Otherwise n has a proper divisor m, 1 < ni < n. If n\ has no 
proper divisor, then rii is a prime number, and ni divides n. Otherwise we 
continue in the same way to see that there is a proper divisor 7)2 of n\, and so 
on. We obtain a sequence n > n\ > 77.2 > • • • of divisors of n. Such a sequence 
cannot be infinite, hence after a finite number of steps we reach a divisor nt 
of n with nt >2 that has no proper divisors, hence is a prime number. □ 
For example, consider the number n = 1000. Our procedure could discover 
the divisors 500,250,50,10, in this order, and finally reach the prime factor 
2 of 1000. The reader is invited to check that the number of rounds in the 
procedure just described cannot be larger than [log nj . Note however that 
this does not mean at all that a prime factor of n can always be found in 
log n steps by an efficient algorithm. The problem is that it is not known how 
to find a proper divisor of n fast even if n is known to be composite. 

The venerable theorem noted next was proved by Euclid. 

Theorem 3.5.3. There are infinitely many prime numbers. 

Proof. Let p\, ... ,p s be an arbitrary finite list of distinct prime numbers. We 
form the number n = p\ ■ ■ -p s + 1. By Lemma 3.5.2 n is divisible by some 
prime number p. This p must be different from pi, ... ,p s . (If p were equal 
to Pj, then p would be a common divisor of n and p\ ■ ■ -p s = n — 1, hence 
p would divide n — (n — 1) = 1, which is impossible.) Thus, no finite list of 
prime numbers can contain all prime numbers. □ 

In order to make a list of the prime numbers up to some number n, the 
easiest way is to use the “Sieve of Eratosthenes” . This is an ancient algorithm 
that can be described informally as follows: Set up a list of all numbers 
in {2, . . . ,n}. Initially all numbers are unmarked; some of the numbers will 
become marked in the course of the calculation. For j = 2, 3, ... , [y/n ._ | , do the 
following: if j is unmarked, then mark all multiples i = sj of j for j < s < n/ j. 




40 



3. Fundamentals from Number Theory 



It is not very hard to see that the numbers that are left unmarked are 
exactly the prime numbers in the interval [2,n]. Indeed, no prime number is 
ever marked, since only numbers sj with s > j > 2 are marked. Conversely, if 
k < n is composite, then write k as a product ab with b > a > 2. Obviously, 
then, a < y/k < yfn. By Lemma 3.5.2 there is some prime number p that 
divides a. Then we may write k = sp for some s > 6, hence s > p. When j 
attains the value p, this prime number turns out to be unmarked, and the 
number k becomes marked as the multiple sp of p. 

A slightly more elaborate version of the Sieve of Eratosthenes, given next, 
even marks each composite number in [2,n] with its smallest prime divisor. 

Algorithm 3.5.4 (The Sieve of Eratosthenes) 

Input: Integer n > 2 
Method: 

1 m[2..n]: array of integer; 

2 for j from 2 to n do m[j] <— 0; 

3 j <-2; 

4 while j • j < n do 

5 if m[j] = 0 then 

6 i <— j • j; 

7 while i < n do 

8 if m[i] = 0 then m[i] <— j; 

9 i 4 - i + j; 

10 j j + 1; 

11 return m[2..n]; 



The algorithm varies the idea sketched above as follows. Instead of at- 
taching a “mark” to k, m[fe] is assigned a nonzero value. The j-loop (lines 
4-10) treats the numbers j = 2,3,..., in order. If m[j] turns out to 

be nonzero when j has value j, then in the i-loop (lines 7-9) the unmarked 
multiples of j are marked with j. — The algorithm is easily analyzed. As 
before, if k < n is a prime number, then the value m[fc] stays 0 throughout. 
Assume now that k < n is composite. Consider the smallest prime number 
p that is a divisor of k, and write k = sp for some s > 2. By Lemma 3.5.2, 
s is divisible by some prime number p 1 , which then must exceed p; hence 
p 2 < sp = k < n. From the algorithm it is then obvious that in the iteration 
of the j-loop (lines 4-10) in which the variable j contains p the array compo- 
nent m[fc] will be assigned the value p. (It cannot get a value different from 0 
before that, since this would imply that k is divisible by some number j < p , 
which is impossible by the choice of p.) 

What is the time complexity of Algorithm 3.5.4? The number of iterations 
of the j-loop is bounded by y/n. Iterations in which j contains a composite 
number take constant time. Thus we should bound the number of marking 




3.5 Prime Numbers 



41 



steps in the various runs of the i-loop, including those in which the algorithm 
tries to mark a number already marked. For each prime p < yfn there are no 
more than ?z/p many multiples sp < n. Hence the total number of marking 
steps is bounded by 

Y ~ <n- Y “> ( 3 - 5 - 9 ) 

p<y/n P<V™ 

where the sums extend over the prime numbers p < y/n. The last sum is cer- 
tainly not larger than r < 1 + hi \fn = 1 + 1 In n (see Lemma A. 2. 4 in 

the appendix), hence the number of marking steps is bounded by 0(n log n). 
(Actually, it is well known that Y1 P < X P — 1° l' 1 x + 0(1), for x — » oo, hence 
the number of marking steps in this naive implementation of the Sieve of 
Eratosthenes is really 0(nloglogn). See, for example, [31].) 

Example 3.5.5. Let n = 300. The first few values taken by j are 2 (which 
leads to all even numbers > 4 being marked with 2), then 3 (which leads to 
all odd numbers divisible by 3 being marked with 3), then 4, which is marked 
(with 2), then 5 (which leads to all odd numbers divisible by 5 but not by 3 
being marked with 5). This identifies 2, 3, and 5 as the first prime numbers. 





7 


11 


13 


17 


19 


23 


29 


31 


37 


41 


43 


47 


7|49 


53 


59 


61 


67 


71 


73 


r|77 


79 


83 


89 


7|91 


97 


101 


103 


107 


109 


113 


7| 1 19 


n| 121 


127 


131 


r| 133 


137 


139 


n| 143 


149 


151 


157 


T| 161 


163 


167 


i3| 169 


173 


179 


181 


11)187 


191 


193 


197 


199 


7|203 


n|209 


211 


r| 217 


13|221 


223 


227 


229 


233 


239 


241 


13| 247 


251 


n|253 


257 


7|259 


263 


269 


271 


277 


281 


283 


7|287 


i7|289 


293 


i3|299 



Table 3.4. Result of Sieve of Eratosthenes, n = 300 



Still unmarked are those numbers larger than 5 that leave remainder 1, 7, 11, 
13, 17, 19, 23, or 29 when divided by 30. 

In the next round the following multiples of 7 are marked with 7: 

49, 77, 91, 119, 133, 161, 203, 217, 259, 287. 

Then the following multiples of 11 (with 11): 

121,143,187,209,253. 




42 



3. Fundamentals from Number Theory 



Then the multiples 169, 221, 247, and 299 of 13, with 13, and finally the 
multiple 289 of 17, with 17. This creates the list in Table 3.4, with the 59 
primes in {7, 8, . . . , 300} in bold and composite numbers marked by their 
smallest prime factor. Note that for the numbers a that do not occur in the 
list, i.e. , the multiples of 2, 3, and 5, it is easy to obtain the smallest prime 
dividing a from the decimal representation of a. 

3.5.2 The Fundamental Theorem of Arithmetic 

Once the Sieve of Eratosthenes has been run on an input n, with result m[2..n], 
we may rapidly split an arbitrary given number k < n into factors that are 
prime. Indeed, read i = m[&]. If * = 0, then k is prime, and we are done. 
Otherwise i = p\ for pi the smallest prime divisor of k. Let k\ = k/p\ (which 
is < kj 2). By iterating, find a way of writing k\ = P 2 • • -p r as a product 
of prime numbers. Then k = p\ ■ P 2 • • ■ p r is the desired representation as a 
product of prime numbers. (In practice, this method is applicable only for 
k that are so small that we can afford the O(nloglogn) cost of running the 
Sieve of Eratosthenes on some n > k.) A representation n = pi ■ ■ ■ p r of n 
as a product of r > 0 prime numbers p\,...,p r , not necessarily distinct, 
is called a prime decomposition of n. The number 1 can be represented 
by the “empty product” of zero factors, a prime number p is represented 
as a “product” of one factor. Theorem 3.5.8 to follow is the very basic fact 
about the relationship between the natural numbers and the prime numbers, 
known and believed since ancient times, proved rigorously by Gauss. It says 
that every positive integer has one and only one prime decomposition. 

Because this result is basic for everything that follows, we give a proof. We 
start with a lemma that says that a prime decomposition exists. Although we 
have just seen that this can be deduced by extending the Sieve of Eratosthenes 
method, we give a short, abstract proof. 

Lemma 3.5.6. Every integer n > 1 has a prime decomposition. 

Proof. This is proved by induction on n. If n = 1, then n is written as the 
empty product of primes. Thus, assume n > 2. By Lemma 3.5.2, n can be 
written n = p-n' for some prime p and some number n' . If n' = 1, then n = p, 
and this is the desired prime decomposition. If 1 < v! = n/p < n, we apply 
the induction hypothesis to n' to see that there is a prime decomposition 
n' = pi ■ ■ ■ p r of n'. Then n = p ■ pi ■ ■ ■ p r is the desired prime decomposition 
of n. □ 

Lemma 3.5.7. Let n > 1, and let p be a prime number. Then p is a divisor 
of n if and only if n has a prime decomposition in which p occurs as a factor. 

Proof. “4=”: If n = p\ ■ ■ -p r with p = Pj, then obviously p divides n. 

By assumption, we may write n = p-n 1 for some n! < n. By 
Lemma 3.5.6, we may write n' = pi ■ ■ -p r as the product of r prime numbers, 




3.5 Prime Numbers 



43 



r > 0. Clearly, then n = p ■ p\ ■ ■ ■ p r is the desired prime decomposition of n 
in which p occurs. □ 

Theorem 3.5.8 (The Fundamental Theorem of Arithmetic). 

Every integer n > 1 can be written as a product of prime numbers in exactly 
one way (if the order of the factors is disregarded) . 

Proof, (a) The existence of the prime decomposition is given by 
Lemma 3.5.6. 

(b) For the uniqueness of the decomposition we argue indirectly. Assume for 
a contradiction that there is an integer n > 1 that possesses two different 
prime decompositions: 

n = pi---p r = qi---q s , r,s> 0 . 

It is clear that r = 0 or s = 0 is impossible, since then n would have to be 
1, and the number 1 has only one prime decomposition (the empty product). 
We choose an n > 2 that is minimal with this property. Then we observe that 
{pi, . . . ,p r } and {gi, . . . , q s } must be disjoint. (If pi = qj, then n/pi would 
have two different prime decompositions, in contradiction to our choosing 
n minimal with this property.) We may assume that p\ < q\. (Otherwise 
interchange the two decompositions.) Now consider the number 

m = n-piq 2 ---q s = (gi ~ Pi)q 2 - ■ ■ q s - 

We have 0 < m < n. The number m has a prime decomposition without 
the prime number pi. (Indeed, qi — p\ cannot be divisible by p\, since oth- 
erwise the prime number qi = pi + (qi — Pi) would be divisible by p\ < q±. 
By Lemma 3.5.6, q\ — pi has a prime decomposition p\ ■ ■ ■ p' t , which does 
not contain p\. Then the prime decomposition p[ ■ ■ ■ p' t ■ q 2 ■ ■ ■ q s of m does 
not contain pi either.) On the other hand, m is divisible by pi (since n and 
Piq 2 • • • q s are), which by Lemma 3.5.7 implies that m has a prime decomposi- 
tion in which p\ does occur. Thus m has two different prime decompositions, 
contradicting our choosing n minimal with this property. This means that 
there can be no n with two different prime decompositions. □ 

Very often, the prime decomposition of a number n is written as 

n = p^ 1 ■ ■ ■ Pr r , (3.5.10) 

where pi,...,p r , r > 0, are the distinct prime numbers that occur in the 
prime decomposition of n, and ki > 1 is the number of times pi occurs as a 
factor in this prime decomposition, for 1 < * < r. 

The fundamental theorem entails that the method sketched above for 
obtaining a prime decomposition on the basis of applying the Sieve of 
Eratosthenes to n in fact yields the unique prime factorization for k < n. 

Corollary 3.5.9. If a prime number p divides n ■ m, then p divides n or p 
divides m. 




44 



3. Fundamentals from Number Theory 



Proof. Choose prime decompositions pi ■ ■ ■ p r of n and q\ - ■ ■ q s of m. Then 
Pi • • • Pr • Qi • • • Qs is a prime decomposition of n ■ m. By Lemma 3.5.7 and the 
fundamental theorem (Theorem 3.5.8) p appears among pi, . . . ,p r , qi, ■ ■ ■ , q r - 
If p is one of the pi , then p divides n, otherwise it is among the qj ' s and hence 
divides m. □ 

Corollary 3.5.10. Ifpi , . . . ,p r are distinct prime numbers that all divide n, 
then p\ ■ ■ -p r divides n. 

Proof. Let n = q\ ■ ■ ■ q s be the prime decomposition of n. For each pi we 
have the following: By Lemma 3.5.7 and Theorem 3.5.8, pi must occur among 
qi, . . . , q s . Now the p t are distinct, so by reordering we may assume pi = qi, 
for 1 < i < r. Then n = (pi ■ ■ -p r ) ■ ( q r +i • • • q s ), which proves the claim. □ 
We close this section with a remark on the connection between the concept 
of numbers being relatively prime and their prime factorization and draw a 
consequence for the problem of calculating pin). 

Proposition 3.5.11. Let n,m > 1 have prime decompositions n = pi ■ ■ -p r 
and m = qi ■ ■ • q s . Then a, b are relatively prime if and only if {pi, . . . ,p r } C I 
{q 1 ,...,q s } = 0. 

Proof. Indirectly. Suppose a prime number p occurred in both prime 

decompositions. Then p would divide both n and m, hence gcd(n, m) would 
be larger than 1. — “4=”: Indirectly. Suppose gcd(n,m) > 1. Then there is a 
prime number p that divides gcd(n, m) and hence divides both n and m. By 
Theorem 3.5.8 p occurs in {pi, . . . ,p r } and in {qi , . . . , g s }. □ 

Corollary 3.4.5 stated that ip(ni • n. 2 ) = <p( n i) ' 7 ? ( n 2 ) if n-i and 712 are 
relatively prime. This makes it possible to calculate p(n) for n easily once 
the prime decomposition of n is known. 

Proposition 3.5.12. If n > 1 has the prime decomposition n = p J 1 • • ■pf. r 
for distinct prime numbers pi, ■ ■ ■ ,p r , then 

Tin) = n “ f)^” 1 = n ■ i 1 - ff 

1 <i<r 1 <i<r ' 

Proof. The formulas are trivially correct for n = 1. Thus, assume n > 2. 
Case 1: n is a prime number. — Then <p(n) = | { 1, . . . , n — 1} | = n — 1, and 
the formulas are correct. 

Case 2: n = p k for a prime number p and some k > 2. — Then 
<p(n) = |{a | 1 < a < p k ,p\ a} | = p k - |{a | 1 < a < p k ,p \ a}| 

=p k -p k - i = ( p -i)-p k - i =p k - (i-£) . 

Case 3 : n = p kl • ■ ■ p kr for r > 2. — The factors p kl , . . . ,p kr are pairwise 
relatively prime, by Proposition 3.5.11. We apply Corollary 3.4.5 repeatedly 
to conclude that 




3.6 Chebychev’s Theorem on the Density of Prime Numbers 



45 



<P(n) = II PiPi*)’ 

l<i<r 



which by Case 2 means 

‘pH = n ijpi - x ) ■ p ki_i = n pki ■ f 1 - —) = n - n 

1 <i<r 1 <i<r ' Pl ' 1 <i<r 




□ 

For example, we have 

¥>(7) = 6; 

¥>(15) =¥>(3-5) = 2-4 = 8 = 15 - § • f, 

¥>(210) = ¥>(2 • 3 • 5 • 7) = 1 • 2 • 4 • 6 = 48 = 210 • \ ■ § • § • f , 

¥>(1000) = ¥>(2 3 • 5 3 ) = 1 • 2 2 • 4 • 5 2 = 400 = 1000 • \ • § , 

¥>(6860) = ¥>(2 2 • 5 • 7 3 ) = 1 • 2 • 4 • 6 • 7 2 = 2352 = 6860 • \ ■ § • f . 



3.6 Chebychev’s Theorem on the Density of Prime 
Numbers 

In this section, we develop upper and lower bounds on the density of the prime 
numbers in the natural numbers. Up to now, we only know that there are 
infinitely many prime numbers. We want to estimate how many primes there 
are up to some bound x. Results of the type given here were first proved by 
Clrebyclrev in 1852, and so they are known as “Clrebyclrev-type estimates”. 

Definition 3.6.1. For x > 1, let tt(x) denote the number of primes p < x. 

Table 3.5 lists some values of this function, and compares it with the 
function x/{\.nx — 1). 



X 


2 


3 


4 


5 


6 


7 


8 


9 


10 


11 


12 


13 


14 


15 


20 


30 


n(x) 


1 


2 


2 


3 


3 


4 


4 


4 


4 


5 


5 


6 


6 


6 


8 


10 



X 


40 


50 


70 


100 


200 


500 


1000 


5000 


10000 


n(x) 


12 


15 


19 


25 


46 


95 


168 


669 


1229 


x/(\nx — 1) 


14.9 


17.2 


21.5 


27.7 


46.5 


95.9 


169.3 


665.1 


1218.0 



Table 3.5. The prime counting function n(x) for some integral values of x\ values 
of the function */(lna> — 1) (rounded) in comparison 



The following theorem is important, deep, and famous; it was conjectured 
as early as in the 18tlr century by Gauss, but proved only in 1896, indepen- 
dently by Hadamard and de la Vallee Poussin. 






46 



3. Fundamentals from Number Theory 



Theorem 3.6.2 (The Prime Number Theorem). 



lim 

x—*oo 



7r(x) 
x/ In x 



= 1 



The prime number theorem should be read as follows: asymptotically, 
that means for large enough x, about a fraction of 1 in In x of the numbers 
< x will be primes, or, the density of prime numbers among the integers in 
the neighborhood of x is around 1 in lnx. Actually, the figure x/(lnx — 1) 
is an even better approximation. We can thus estimate that the percentage 
of primes in numbers that can be written with up to 50 decimal digits is 
about l/ln(10 50 — 1) = 1/(50 In 10 — 1) « 1/114 or 0.88 percent; for 100 
decimal digits the percentage is about l/ln(10 lo ° — 1) = 1/(100 In 10 — 1) ss 
1/229. In general, doubling the number of digits will approximately halve the 
percentage of prime numbers. Readers who wish to see a full proof of the 
prime number theorem are referred to [6]; for details on the quality of the 
approximation see [16]. 

We cannot prove the prime number theorem here, and really we do not 
need it. Rather, we are content with showing that 7r(x) = <9(x/logx), which 
is sufficient for our purposes. The proofs for these weaker upper and lower 
bounds are both classical gems and quite clear and should give the reader 
a good intuitive understanding of why the density of prime numbers in 
{1, ...,iV} is 0 ( 1/log N). We will have the opportunity to use a variant 
of these bounds (Proposition 3.6.9) in the analysis of the deterministic pri- 
mality test. Moreover, lower bounds on the density of the prime numbers 
are important for analyzing the running time of randomized procedures for 
generating large prime numbers. 



Theorem 3.6.3. For all integers N > 2 we have 



N 

log IV 



2 < 7 t(N) < 



3 N 
log N 



We prove the lower bound first, and then turn to the upper bound. 

Proof of Theorem 3.6.3 — The Lower Bound. First, we focus on even 
numbers N, of the form N = 2 n. In the center of the lower bound proof 
stands the binomial coefficient 



/2ri\ (2n)! 2n(2n — 1) • • • (n + 1) 

\n J n! • n! n(n — 1) • • • 1 



(For a discussion of factorials n! and binomial coefficients (£) see Ap- 
pendix A.l.) Recall that ( 2n ) is the number of n-element subsets of a 271- 
element set and as such is a natural number. In comparison to 2 n the num- 
ber ( /*) is very large, namely very close to 2 2n . Now consider the prime 
decomposition 




3.6 Chebychev’s Theorem on the Density of Prime Numbers 



47 




The crucial observation we will make is that for no p s can the factor p ks in this 
product be larger than 2 n. To get the big number ( ") as a product of such 
small contributions requires that the prime decomposition of ( ^ contains 
many different primes — namely, l?(2n/ log(2n)) many — all of them < 2 n, 
of course. To extend the estimate to odd numbers 2n + 1 is only a technical 
matter. 

Next, we will fill in the details of this sketch. 

First, we orient ourselves about the order of magnitude of ( ”). We have 
2 2n /2r>\ 

< ( ) < 2 2ra , for all n > 1. (3.6.11) 

2 n \ n J 

Roughly, this is because J2a<i<2n C T) = 2 2n ^y the binomial theorem, 
and because ( ") is the largest term in the sum. (For the details, see 
Lemma A. 1.2(c) in Appendix A.l.) 

For a number m and a prime p we denote the exact power to which p 
appears in the prime factorization of m by v p {m). Thus u p (rri) is the largest 
k > 0 so that p k | m, and 

m=\\ p^ m \ 

p | m 

where the product extends over all prime factors of m. 

For example, 2/3(18) = 2/3(2 -3 2 ) = 2, 2/ 2 (10 fc ) = u 5 [\0 k ) = k. Interestingly, 
it is almost trivial to calculate to which power a prime divides the number 
nl. This is most easily expressed using the “floor function” (defined in Ap- 
pendix A. 2). To give some intuitive sense to the following formula, note that 
for integers a > 0 and b > 1 the number |_§ J = a div b equals the number of 
multiples b, 26, 36, ... of 6 that do not exceed a. 

Lemma 3.6.4 (Legendre). For all n > 1 and all primes p we have 



/OD = X! 



fc> 1 L 



Proof. The proof is a typical example for a simple, but very helpful counting 
technique used a lot in combinatorics as well as in the amortized analysis of 
algorithms. Consider the set 

Rp,n = {(i, k) | 1 < * < n and p k divides i }. 

Table 3.6 depicts an example for this set (jp = 2 and n = 20) as a matrix with 
log p (n) rows and n columns, and entries 1 (•) and 0 (empty). We obtain 




48 



3. Fundamentals from Number Theory 





*=123456789 


10 11 12 13 14 15 16 17 18 19 20 


k = 1 




2 


• • 


• • • 


3 


• 


• 


4 


• | 



Table 3.6. The relation R v , n for p = 2 and n = 20 



two formulas for \R p , n \ (corresponding to the number of *’s in the table): 
counting column-wise, we get 

\R P ,n\ = ^2 |{fc > 1 | p k divides i}\ = E max{ k > 1 | p k divides i } 

l<i<n l<i<n 

= E = o>o ! ) > 

l<i<n 

counting row-wise, we get 



\Rp,n\ = XE’ I 1 ^ ^ 

fc> 1 



k>l 



Since both results must be the same, the lemma is proved. □ 

For example, if n = 20 and p = 2, we have ^(20) = 10 + 5 + 2 + 1 = 18. 
Incidentally, the example suggests (and it is easily verified) that the sequence 




may be calculated by taking no = n, and iteratively dividing by p: n\ = 
no div p, ri 2 = n\ div p , and so on, until the quotient becomes 0. v p (n\) is 
then obtained by adding the nonzero Uk, k > 1. 

Lemma 3.6.5. If p is prime and I — J y p(( 2 ^ 1 ')), then p e < 2 n. 

Proof. We can calculate the exponent I = ^ P (( 2 ")) of p in ( 2 ") as follows, 
using Lemma 3.6.4: 

£=Up ((*n)) = = zy p(( 2n ) ! ) - 2 z/ p( n! ) 

2 n 

pk 

Obviously, in the last sum the summands for k with p k > 2 n are all 0. By 
Lemma A. 2. 2, we have \2y\ — 2[y\ £ {0, 1} for all real numbers y > 0; hence 
the summands for k with 1 < p k < 2n are either 0 or 1. Hence 

£ < max{/c > 1 | p k < 2n} , and p £ < 2 n. (3.6.12) 





□ 





3.6 Chebychev’s Theorem on the Density of Prime Numbers 



49 



Now we can establish a first connection between the prime counting func- 
tion 7r(x) and the binomial coefficients. 

Lemma 3.6.6. For all n > 1, 

( 2 ;) < (2 

Proof. Consider the prime factorization 




of ( ”). The primes that occur in this factorization are factors of (2 n)!, hence 
cannot be larger than 2 n. Thus r, the number of different primes occurring 
in ( "), is not larger than 7r(2n). From the previous lemma we get that each 
factor Ps* is bounded by 2 n. Thus, 

p kl ---p kr < (2n) r < {2n)^ 2n \ 



which proves the lemma. □ 

The last lemma enables us to finish the proof of the lower bound in Theo- 
rem 3.6.3. Assume first that N = 2n is even. We combine Lemma 3.6.6 with 
the lower bound ( 2 ^) > 2 2 "/2 n from inequality (3.6.11) to get 



(2 nY (2n) 



2 2 n 




by taking logarithms and dividing by log(2n) we obtain 7r(2 n) > 2 n/ log(2n) — 
1. If N = 2n + 1 is odd, we estimate, using the result for 2 n: 



7r(2 n + 1) > 7r(2 n) > 



2 n 



log(2n) 



-1 > 



2 n 



log(2n + 1) 



-1 > 



2n 1 
log(2n + 1) 



-2 . 



In either case, we have 



n(N) > 



N 



log N 



- 2 



as claimed. □ 

Proof of Theorem 3.6.3 — The Upper Bound. We start with a lemma 
(first proved by P. Erdos), which states a rough, but very useful upper bound 
for the products of initial segments of the sequence of prime numbers. As 
examples note: 



2-3= 6 < 

2 • 3 • 5 = 30 < 

2 • 3 • 5 • 7 = 210 < 



16 = 4 2 
256 = 4 4 
4096 = 4 6 



2 • 3 • 5 • 7 • 11 = 3210 < 1048576 = 4 10 




50 



3. Fundamentals from Number Theory 



In contrast, note that for constant a, 0 < a < 1, and c > 1 the product iV! of 
all integers from 1 up to aN becomes (much) larger than c N for sufficiently 
large N, no matter how small a and how large c are chosen. To see this, 
consider that inequality (A. 1.2) says (aN)\ > (aN/e ) aN , hence ( aN)\/c N > 
((N/C ) a ) N , for a suitable constant C. Thus the following innocent-looking 
lemma already makes it clear that the density of the prime numbers below 
N must be significantly smaller than a constant fraction. 

Lemma 3.6.7. If N > 2, then 

n p<4 w -\ 

p<N 

where the product extends over all prime numbers p < N. 

Proof. Again, in the center of the proof are cleverly chosen binomial coeffi- 
cients, this time the numbers 

f2m+l\ ( 2 m + 1 )! ( 2 m + l)( 2 m) • • • (m + 2 ) c 1oA 

o m = = t , . = ; . 3.6.13 

\ m J (m+l)'m! ml 

for m > 1. (Examples: bi = 3, b 2 = 10 = 2 • 5, b 3 = 35 = 5 • 7, 64 = 126 = 
2 • 3 2 • 7, 65 = 462 = 2 • 3 • 7 • 11, and so on.) The number b m is divisible by all 
prime numbers p, for m + 2 < p < 2m. + 1. Indeed, in the rightmost fraction in 
(3.6.13) the numerator contains all these prime numbers as explicit factors, 
the denominator cannot contain any of them. This immediately leads to the 
upper bound 

II P<b m , (3.6.14) 

m+2<p<2m+l 



where the product extends over the primes p in {m+2, ... , 2m+l}. An upper 
bound for b m is obtained as follows: We know (see (A. 1.4) in Appendix A.l) 
that 

£ (' 2m + 1 ')= 2 2 m+ 1 -2, (3.6.15) 

and observe that b m = ( 2m r ^ 1 ) = ( 2 ^ 4 f 1 1 ) occurs twice in this sum (see 
Lemma A. 1.2(a)). Hence b m < \ ■ 2 2m+1 = 4 m . Combining this with (3.6.14) 
we obtain 

p < 4 m , for m > 1 . (3.6.16) 

m+2<p<2m+l 



Now we may prove the claimed inequality rip<jv P < 4 N 1 for integers N > 2, 
by induction on N. 




